In the first half of 2024, the digital security landscape was drastically affected by several ransomware that hit companies and users around the world. According to the report developed by Verizon , cyber attacks that exploit user vulnerabilities increased by 180% in 2023, as is the case with ransomware. These attacks are mainly carried out by highly organized groups, responsible for more than half of digital distortion .
A recent report highlighted six main groups that have dominated the cyber threat landscape, with LockBit 3.0 remaining the biggest threat. Although a police operation interfered with this group's activities, they remain the most active in the ransomware .
According to the bulletin published by ISH Tecnologia ransomware groups , including LockBit and AlphV (or Black Cat ), have become targets of police operations around the world. However, the space left by groups dismembered by operations ends up being occupied by new groups, which adopt new and more sophisticated tactics.
The prevalence of these ransomware raises fundamental questions about the readiness of companies to address these risks. Thus, many organizations underestimate the threat posed by ransomware , resulting in security flaws that are exploited by cybercriminals .
Top ransomware groups in 2024
As we said above, LockBit ransomware groups in 2024. The group registered 325 victims in the first half of this year alone, relying on resilience and ability to adapt in the face of changes in the cybersecurity landscape. The decentralized structure of this group, combined with its innovative attack tactics, makes LockBit a significant threat.
ISH Tecnologia ransomware groups :
- Quilong Group : Possible Asian origin, but operates significantly in Brazil. It recently became notorious for the leak of intimate and personal photos from companies in the beauty and health sector , causing a huge impact on the lives of these users. The attack was carried out in April 2024, where the group published details of the malicious activity on its Dark Web . They claimed to have sensitive images belonging to companies that were unable to pay the ransom amount within the stipulated deadline and that attempts to contact the victims were ignored.
- Arcus Mídia Group : Like Quilong, it has prioritized operations in Brazil. double extortion tactics , blocking access to data and threatening information leaks. The biggest focus of these cybercriminals are retail, education and technology companies, causing considerable impacts.
These specialized groups use more sophisticated hacking and extortion techniques, encrypting victims' confidential data and demanding payment in cryptocurrencies to return access. Thus, the impact of these actions goes beyond financial losses, also causing an impact on the reputation and operations of companies. As these groups continue to innovate and evolve their tactics, the challenges of combating these threats become even more complex.
Competition between these groups creates an environment of immense pressure on companies to improve their cyber defenses. Thus, the most vulnerable organizations are those that neglect basic security practices such as updating software , multi-factor authentication and implementing strong passwords .
What is Ransomware as a Service (RaaS)?
One of the significant factors behind the increase in ransomware in Brazil is the advent and accessibility of Ransomware as a Service (RaaS) . This tool operates as a franchise, allowing a central syndicate to develop ransomware and rent them to the group's affiliates. This system has brought democratization to high-risk digital extortion, allowing new cybercriminals from everywhere and with minimal investment to launch very devastating cyberattacks.
This collaborative approach increases the frequency of ransomware attacks, expanding their reach and effectiveness, claiming victims of all types, including large companies. In other words, affiliates of the group encrypt the victim's data, demand a ransom payment for the return of the data, sharing the profits with the provider.
The role of artificial intelligence in defending against ransomware
Artificial intelligence ( AI) helps combat ransomware by proactively detecting malicious behavior, analyzing large volumes of data to identify suspicious patterns, such as rapid file encryptions . Additionally, AI can automate incident responses , isolate compromised devices, and restore files from secure backups. Using machine learning, AI recognizes new types of malware, analyzes logs to detect threats, and can even predict future attacks based on trends. When integrated into security systems, AI becomes an effective tool to prevent, mitigate and quickly respond to ransomware attacks.
The application of AI to post-attack incident analysis is another of its benefits. Tools of this type can trace the origin of the attack and map the points of vulnerability exploited, allowing the company to adjust its defenses and prevent future incidents. With its ability to continuously learn, AI can adapt to new threats more dynamically, making it a fundamental part of a robust cybersecurity .
Ransomware attack against Costa Rica
While there is no specific victim for a ransomware , the headline-grabbing incidents have demonstrated how large organizations have suffered significant losses. An example of this was a cyber attack carried out by the Conti group against Costa Rica , causing significant delays in the country's public administration and financial operations.
A national emergency was declared and the government refused to pay the ransom, which was initially 10 million dollars , later raised to 20 million . Costa Rica lost 30 million a day due to this cyber attack.
Given this, we can understand how this type of attack can be harmful, even for the most prepared organizations. Therefore, the need for more robust protection tools becomes a priority.
LockBit 3.0: The most active group
As of 2024, LockBit 3.0 has been the most active group in ransomware , outperforming its competition with the impressive number of successful attacks. Ransomware as a Service (RaaS) model , in which affiliates have access to the group's infrastructure to conduct their own attacks. In other words, this structure allows the group to expand daily and operate in a decentralized manner, making it difficult for authorities to track and contain. According to US security officials, Lockbit has reached more than 1,700 companies in almost every market sector.
Among the most publicized attacks that were claimed by the group, we can mention:
- India's National Aerospace Laboratories (NAL) leak , with the publication of eight allegedly stolen documents, including confidential letters, a collaborator's passport and other documents.
The main tactic used by the group is double extortion . In addition to encrypting victims' data, the group also threatens the leakage of confidential information if the ransom is not paid. This strategy has proven effective for the group, causing many companies to give in to its demands to avoid the exposure of sensitive data.
Even after the police action that focused on weakening the group , LockBit demonstrated an impressive ability to recover. This raises significant concerns about the effectiveness of legal interventions in disrupting these operations. The group continues to constantly evolve, implementing new tools and strategies to stay ahead of corporate defenses.
LockBit 3.0 operations after police intervention
LockBit 's activities , the group demonstrated a great capacity for recovery. There was a slowdown in its activities after the intervention, but the group was able to quickly return to operating at full strength. Its agile adaptation to cybersecurity breaches and its new tracking evasion techniques have allowed LockBit 3.0 to maintain its operations without loss.
Furthermore, the decentralization of its activities contributed considerably to its survival in the market. Affiliates in various parts of the world continued to launch attacks under the LockBit , keeping the group's name active and relevant.
Thus, this operating model not only eliminates risk, but also allows cybercriminals to align themselves without depending on a centralized leadership structure. The group's survival, even after police action, demonstrates the difficulty in combating ransomware like this. Its global nature and decentralization complicate the power of authorities to respond and require more effective and complete international collaboration. Furthermore, it demonstrates how implementing cybersecurity is critical to proactively detect and mitigate these threats.
Other relevant groups in the ransomware scenario
While LockBit is the most notorious group, other ransomware have played significant roles in the 2024 scenario. AlphV (or Black Cat ), for example, is notoriously recognized for its attacks targeting large corporations as well as its use of advanced techniques of data exfiltration .
Clop group , in turn, is very prominent in exploiting vulnerabilities in widely used software, such as MOVEit Transfer , resulting in major data leaks.
Another group that has gained notoriety for successful attacks is Royal . In other words, this group's focus is on highly relevant targets and generally requires the payment of substantial ransoms. Its attacks include sophisticated tactics against critical infrastructure systems, drawing the attention of authorities and cybersecurity .
Vice Society group focuses its attacks on the education sector, causing significant disruptions to the operations of educational institutions. Along with Play , these groups pose a constant threat to companies of all sizes. Therefore, thanks to the diversification of attack methods and the specialization of the cybercriminals ransomware scenario is very dynamic and unpredictable, making it essential for companies to adopt more efficient tools and remain vigilant.
Complete list of the most active groups
In the year 2023, the Secretariat of Information Security and Cybernetics of the Institutional Security Office of the Presidency of the Republic carried out research and quantitative analysis of cyber threats , ransomware groups :
LockBit 3.0
Ransomware as a Service (RaaS) model , LockBit provides ransomware and attack infrastructure to all of its affiliates, who can execute attacks and share the profits. This group targets several sectors, including energy , manufacturing , government , education and healthcare , posing a very serious threat.
Law enforcement authorities in the United States and the United Kingdom seized websites that the group used to coordinate the attacks and also the servers used in the operations.
Black Basta
Black Basta is a group that began operating in early 2022, supposedly derived from the group of cybercriminals that had already attacked several names and countries, and was known for the financial impact it caused. This means that the members of Black Basta have a lot of ability and experience from the beginning, which made their debut not subtle.
The group quickly established a formidable reputation in cybercrime using double extortion . Last year, the group was responsible for extorting at least $107 million worth of Bitcoin . Some of the group's main attacks:
- American Dental Association (ADA) : In April 2022, the ADA suffered an attack by the Black Basta group, which encrypted its systems and stole sensitive data, disrupting its operations and leaking information online.
- Deutsche Windtechnik : Also in April 2022, Deutsche Windtechnik was attacked by the same group, forcing the company to disable its remote control systems, affecting the monitoring of its wind turbines.
- Sobeys (Empire Company) : In November 2022, supermarket chain Sobeys was severely affected by a Black Basta attack, disrupting operations at several stores and disrupting its supply chain.
Black Cat
The group Black Cat , also known as Noberus or AlphV , emerged in 2021 and is likely made up of former members of Darkside , which attacked Colonial Pipeline . The ransomware used by the group targets Linux and Windows triple extortion strategy , including ransom for file decryption, promise of non-leakage and prevention of distributed denial of service attacks.
According to FBI , the group claimed more than a thousand victims around the world, operating under the Ransomware as a Service (RaaS) . One of its most notable attacks was against Oiltanking GmbH 1.6 terabytes were captured . This data was commercialized by the group, which demonstrated its double extortion . Thus, the group gained notoriety through robust attacks, such as:
- Swissport (2022): Swissport suffered an attack by the BlackCat group, disrupting flight dispatch services and causing delays at airports.
- Moncler (2021): Moncler was attacked by BlackCat, which encrypted data and threatened to release it. After the company refused to pay the ransom, they published part of the information on the dark web.
- Western Digital (2023): Western Digital fell victim to BlackCat in 2023, which claimed to have stolen confidential data and demanded a ransom to prevent disclosure.
After the company refused to pay the ransom, they published part of the information on the dark web.
Clop
The Clop group is known for its sophisticated extortion schemes. cybercrime market , deploying ransomware that encrypt data and add the .clop to files.
This group focuses on financial institutions , critical infrastructure providers , large enterprises, healthcare , and even educational institutions . Recently, the group allegedly stole data from several organizations around the world, including government entities. Victims of the attack included the New York City public school and even British Airways and the BBC .
The main incidents related to the group are:
Incident at the University of Miami (2020) : The hacker group Clop broke into the University of Miami, compromising the personal information of students and employees. They demanded payment in cryptocurrencies, threatening to make the data public if the ransom was not carried out.
Attack on Hyundai (2021): Clop attacked one of Hyundai's subsidiaries, resulting in an information leak that affected both customers and employees.
US government agencies (2023): Clop broke into several US government agencies, using the vulnerability to infect computers with malware, steal data and then demand a reward.
REvil
The REvil Ransomware as a Service (RaaS) model , causing affiliates to use this ransomware to attack individuals and companies. Thus, the group gained popularity for attacks on high-profile victims such as Apple . They also run a marketplace on the Dark Web , where they threaten to leak stolen data when ransoms are not paid. His most significant attacks were:
Attack on JBS Foods (2021): REvil attacked JBS, resulting in the shutdown of several factories. The company paid a ransom of approximately 11 million dollars to prevent data disclosure.
Attack on Kaseya (2021): In July 2021, REvil compromised the Kaseya platform, affecting around 1,500 organizations globally demanding a $70 million ransom.
Attack on Acer (2021): The group attacked Acer, demanding a ransom of 50 million dollars by exploiting a vulnerability in its systems.
What do these numbers mean for companies and users?
The rise of ransomware groups and the increase in the number of attacks means that companies and users face increasing risks. In other words, this ransomware model, adopted by groups like LockBit 3.0 , allows people with limited resources and basic skills to launch devastating attacks, increasing the pressure on companies to invest in cybersecurity .
In addition to the financial impact, companies also face the risk of exposing confidential data , which, depending on the industry, can be drastic. The loss of trust from customers and business partners can cause even greater damage than financial losses, as the organization's credibility will be seriously damaged. Research by Security Report revealed that companies lose up to 7% of their market value after a cyber incident. A recent IBM report revealed that financial losses from cyber attacks around the world are expected to reach US$10.5 trillion annually by 2025
Thus, the numbers indicate an urgent need for action . Companies and users must take preventive measures and strengthen their cyber defenses against this growing threat. Furthermore, education and awareness about good security practices are essential to reduce vulnerabilities to these attacks.
Increasing risk to business
Therefore, the risks to businesses arising from ransomware attacks have increased exponentially in 2024. Companies that suffer attacks of this type face significant disruptions to their operations, resulting in direct and indirect financial losses. Additionally, the nature of ransomware attacks, which involve the encryption of critical information , can also completely paralyze an organization until payment is made.
Cybercriminals have been using the double or triple extortion payment for blocking data, but also the threat of disclosure of confidential information or the promise of new attacks if the ransom is not paid.
Furthermore, there is an immense impact on companies’ long-term strategic planning When proactive measures are not taken to protect against ransomware, companies face the risk of losing their market competitiveness as these attacks can compromise new product development, consumer trust and innovation.
Data and financial loss
The loss of valuable information is one of the main consequences of a ransomware attack. For many organizations, data represents a most important asset , and loss can mean not only financial losses, but also the interruption of operations . In 2024, ransomware attacks resulted in millions of dollars in losses , whether due to the interruption of operations or the payment of ransoms.
Therefore, the exposure of sensitive data also generates severe legal implications, especially in regulated sectors such as finance and healthcare. In other words, failing to comply with data protection standards can result in substantial fines and legal action, damaging the company's reputation.
It is important to remember that financial losses are not limited to just ransom payments. There are additional costs, such as hiring security experts , implementing new systems, and communicating with affected customers. Additionally, there may be compensation for those whose information was compromised as a result of the cyber attack.
Damaged reputation
Just like financial losses, one of the less tangible but also devastating consequences is the impact on the company's reputation . In an increasingly digital world, customers' trust in the company's ability to protect information is fundamental to business success. For this reason, any data breach can have a major impact on the organization's credibility .
Additionally, companies that suffer attacks face an immediate loss of trust from customers, investors and partners. In some cases, the loss of important contracts and even the devaluation of the brand , as recovery after a cyber attack is a long and costly process.
Most affected sectors
In 2024, some sectors stood out as prime targets for ransomware attacks. The healthcare sector is one of the most affected, probably due to the amount of sensitive data that is stored and the urgency of its operations. For this reason, hospitals and clinics are often forced to pay the ransom to ensure data is kept confidential and operations continue.
The education sector is another hard-hit area, as schools and universities store an immense amount of information about students and employees, making them attractive targets for cybercriminals . The financial and infrastructure sector is also among the most targeted. Due to the large volume of monetary transactions and highly confidential data, financial services companies are lucrative targets. Critical infrastructures , such as energy and transport, also have high value due to the importance of their services for the functioning of society as a whole.
How to protect yourself against ransomware attacks?
Protecting against ransomware attacks requires a multi-layered approach, involving the adoption of advanced security technologies and the implementation of best data management . Thus, one of the main pillars of the defense strategy against this type of attack is prevention , which can be achieved with efficient cybersecurity practices, such as the use of firewalls , antivirus EDR solutions .
Furthermore, the education and training of its employees is essential. Ransomware attacks are often launched based on human error , such as opening fake emails or downloading malicious files. Therefore, implementing regular training on good digital security practices helps to significantly reduce risk and vulnerabilities within the network and devices.
Regular data backup is a very effective measure. Therefore, keeping backups up to date and stored in a secure environment allows companies to minimize damage caused by an attack, being able to recover quickly without the need to pay a ransom.
Good security practices
Implementing good security practices is essential for preventing ransomware attacks. This starts with maintaining the systems and software used by the company, as vulnerabilities in outdated systems are one of the main entry points for cybercriminals.
Using multifactor authentication is another important practice. Adding a layer of protection beyond the password makes unauthorized access to systems difficult, even if credentials are compromised. Furthermore, it is necessary to develop passwords with this care, making them strong and avoiding simple or repeated combinations.
Therefore, network segmentation is another strategy that can help minimize damage in the event of an invasion. Dividing the network into different zones allows you to limit cybercriminals' access to more critical systems, isolating problems more efficiently and preventing them from spreading throughout the infrastructure.
Regular backups
As mentioned, maintaining regular backups is an effective strategy for mitigating damage from a ransomware attack. The backup will allow, if a cyber attack occurs, the company to recover its data without the need to pay a ransom.
Therefore, backups need to be performed frequently and automatically to ensure that all critical information is stored. Additionally, these backups must be stored in locations isolated from the main network , ensuring that cybercriminals cannot access them during an attack.
The use of incremental backups , which capture only the changes made, is also highly recommended. In addition to optimizing time, this saves storage space and ensures that the latest data is also protected.
Strong passwords
Using strong passwords is a simple and effective way to protect systems against ransomware attacks. Weak passwords are the first point of entry for cybercriminals, making it necessary for the company to establish a password policy that requires more complex combinations.
Furthermore, it is important that the company implements a periodic password change policy , preferably every quarter. This will reduce the risk of the system not detecting a compromised password for a long period of time.
Software update
Software updates are developed so that these tools remain protected even in the face of new threats. Therefore, keeping software up to date is one of the most important practices for preventing cyber attacks, as cybercriminals often exploit vulnerabilities in outdated software to access systems and networks.
Therefore, all critical applications used by the company must be updated, including operating systems, security tools, browsers, management software, productivity tools and databases. In other words, it is important to implement automatic update policies to ensure that all fixes are applied without delay. Updates must be tested in controlled environments before being applied network-wide to avoid conflicts and compatibility issues.
Security Solutions
Using more comprehensive security solutions is one of the key factors in your ransomware protection strategy. It is crucial that companies implement a combination of different strategies, such as antivirus , firewalls EDR solutions , to ensure that all layers are protected. In this way, the tools work together to detect and block attack attempts before they compromise systems.
EDR solutions are particularly effective in combating this type of cyber threat because they offer detailed insight into network devices and behaviors. This allows early detection of suspicious activity and also isolates compromised devices to prevent the attack from spreading.
Antivirus
Antiviruses of the oldest tools used to protect systems and devices. As an essential defense against ransomware, modern antiviruses are capable of detecting a wide variety of malware by scanning files and processes in real time.
Therefore, it is essential that the software is configured to perform regular automatic checks of the company's system. Furthermore, this ensures that any threat is quickly identified and neutralized before it causes significant damage to the organization.
Enterprise- grade antiviruses offer additional protection, such as behavior-based detection systems and integration with other security tools. Therefore, more robust solutions provide an extra layer of protection against sophisticated threats, helping to keep the company protected.
firewall
Firewalls play an indispensable role in protecting against ransomware attacks, allowing the company to control network traffic and block unauthorized communication attempts. By monitoring incoming and outgoing traffic, firewalls can prevent ransomware from communicating with command servers, stopping the operation before it can cause problems.
The firewall is also very effective in limiting lateral movement within the network, a common technique used by cybercriminals to spread across different devices. Therefore, configuring firewall rules can help isolate critical systems and prevent the spread of an attack.
Just like any other tool, firewalls must be kept updated and configured , complemented by other security solutions, such as intrusion detection and prevention systems.
EDR ( Endpoint Detection and Response )
Therefore, with the increase in the sophistication of cyber threats, technology solutions needed to go through an update process to remain efficient. EDR solutions are one of the best technologies to combat ransomware. Additionally, these solutions provide real-time visibility into everything that is happening on the device and network, allowing companies to detect suspicious activity more quickly. EDR provides a detailed view of the processes and behaviors at each endpoint.
Furthermore, one of the biggest advantages of this tool is its responsiveness . Upon detection of a threat, the system can immediately isolate the compromised device, preventing ransomware from spreading across the network. In addition to mitigating the impact of an attack, this strategy allows for a rapid response before damage becomes irreversible.
The urgent need for proactive action
Now that we understand how damaging the growing number of ransomware attacks in 2024 are, it is imperative that companies take a proactive stance in defending against these threats. Therefore, a reactive approach is ineffective in mitigating ransomware risks; cybersecurity should be viewed as a strategic investment, not an expense.
A reactive approach is ineffective at mitigating ransomware risks; cybersecurity should be viewed as a strategic investment, not an expense.
To prepare adequately, companies need to implement more robust security and continually train their employees. Safety is everyone's responsibility , and a safety culture must be encouraged to reduce the risks of exposure.
Ongoing collaboration between companies, governments and experts is also crucial to combat the growing sophistication of ransomware groups. Only through a collective and coordinated approach is it possible to effectively confront this threat posed by cybercriminal .
The role of international collaboration in combating ransomware
Fighting ransomware requires international collaboration between governments, companies and cybersecurity experts. The transnational nature of attacks of this type, with diverse groups operating from countries where there is little or no cyber regulation, makes it crucial that defense efforts are coordinated at a global level .
In recent years, we have seen an increase in cooperation between law enforcement agencies and governments in different countries to tackle this problem. LockBit 3.0 's operations , weakening the group for a certain period of time. cybercriminal groups are able to restructure quickly, changing jurisdictions or using decentralized infrastructures. These characteristics make combating ransomware extremely difficult and laborious, and only international collaboration can determine a more positive future in combating these cyber threats.