The 2024 Ransomware Threat Landscape

Although we are just a few weeks into the new year, ransomware attacks – and their costly impact on today’s enterprises –  are already making headlines. According to our new report, The 2024 Ransomware Threat Landscape, published today by the Symantec Threat Hunter Team, part of Broadcom, “ransomware continues to be one of the most lucrative forms of cybercrime and, as such, remains a critical threat for organizations of all sizes.” 

The new report analyzes the ransomware threat landscape over the past 12 months, from new operators in the field to attackers’ top tools and tactics, techniques, and procedures (TTPs) and provides actionable intelligence – including real-world attacker case studies – that can help organizations stop attacks early in the attack chain.  

Among the report’s key findings:

• Ransomware attacks spiked in October 2023 and the number of organizations affected by ransomware in October 2023 was 66% more than a year earlier. This was one of the biggest surprises in 2023. We would have expected ransomware to drop slightly during that period after the Qakbot disruption, but the opposite happened.
• The main infection vector for ransomware is no longer botnets – instead, it is the exploitation of known vulnerabilities in public facing applications. 
• Except for the ransomware payload itself, attackers are increasingly eschewing malware while carrying out attacks. Many of the tools attackers use are legitimate software, either dual-use tools or operating system features. 
• Windows operating system components are the most widely used legitimate software (so-called living off the land). PsExec, PowerShell, and WMI are the top three most frequently used tools by attackers. 
• Remote desktop/remote administration software is the most widely used type of legitimate software introduced by attackers onto targeted networks. This includes AnyDesk, Atera, Splashtop, and ConnectWise. 
• The Snakefly group (aka Clop) demonstrated a worrying new template for extortion attacks with its exploitation of the MOVEit Transfer vulnerability. By identifying zero-day vulnerabilities in enterprise software, it can steal data from multiple organizations at once, netting itself a huge pool of victims from a single attack campaign.

Top 2024 Ransomware Trends

Based on these findings and other intelligence, we can expect the following ransomware trends to continue through 2024 and beyond:

• Ransomware is no longer just a North America problem: Increasingly, we are seeing lots of groups who are targeting organizations in other geographies and non-English-speaking countries. 
• Vulnerability exploitation is going to continue: We’re seeing a growing number of attackers who realize the value in jumping on recently patched vulnerabilities. The scanning for unpatched systems starts the day that the software patch is released.  
• Cryptocurrencies are not going away anytime soon: There was a period of time when it looked like cryptocurrencies, a key plank of the ransomware business model, were going to die off a bit, but it now seems to be gaining a renewed legitimacy with the SEC approval of crypto ETFs. As long as cryptocurrencies are around, ransomware is going to be around.
• Encryption-free attacks are on the rise: The trend towards a greater reliance on data theft as leverage for extortion ahead of encrypting computers will continue. Encryption is labor-intensive to perform. We’ve seen some groups experiment (successfully) with encryption-free attacks, where they just go in and steal some data.  

Why Defenders Must Pivot: The Need for Adaptive Protection

One thing we know for certain – ransomware will remain a persistent threat to all organizations, regardless of size. To help mitigate this risk, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain. In addition, organizations should prioritize deepening their knowledge of current infection vectors used and commonly employed in ransomware attacks. This information will assist in prioritizing and identifying potential areas of weakness and help strengthen a defensive posture.

As a result, defenders increasingly are turning to Symantec Adaptive Protection in their fight against ransomware. To help close the attack routes available using living-of-the-land tools, Symantec Adaptive Protection maps out the different attack methods used by attackers and displays this data in the form of a heatmap for quick reference. Incident responders can leverage this data to understand which living-of-the-land tools are being used in various different attacks such as advanced persistent threats (APTs) and ransomware. Symantec is currently tracking 70 specific behaviors across 54 living-of-the-land tools and is uniquely positioned to quickly react and update this data based off the changing landscape. 

Next month, we will be publishing a paper focusing on how Adaptive Protection strategies increase efficacy and efficiency. Check back with us for more details in the coming weeks. 

Conclusion

What was our team’s number one learning about ransomware in 2023? The ransomware cybercrime ecosystem is highly durable and continues to survive disruption from law enforcement and other efforts. Yet, the good news is that there are steps you can take today to reduce the risk of ransomware. By combining actionable intelligence about ransomware attackers TTPs with Symantec Adaptive Protection, defenders can better understand how their organizations might be compromised – and take the necessary steps to protect against it.