2024 Ransomware Landscape: Our Findings and How We're Protecting You
As we navigate through 2024, ransomware continues to be a significant threat to organizations of all sizes. Our team has been closely monitoring the evolving tactics of the most active ransomware groups, and we want to share our findings with you.
Bottom Line Up Front: Trusted Internet continues to provide best of -of-class protection and SOC monitoring against the most active ransomware groups, with an incredible track record we are proud of.
Top Ransomware Groups and Their Tactics
We've identified the top ten most active ransomware groups that have been particularly active this year, including LockBit, Play, and RansomHub. These groups are increasingly targeting small and medium-sized businesses, as well as and high-profile individuals at their residences, uusing sophisticated tactics previously reserved for large enterprises.
Key findings from our analysis:
1. Vulnerability Exploitation: We've identified the top 20 specific CVEs (Common Vulnerabilities and Exposures) that these groups are actively targeting. (see table A below)
2. Living Off the Land: These ransomware actors are increasingly using legitimate tools like remote management software to maintain access and control over compromised systems, presenting a challenge to traditional AV solutions.
(see table B below)
3. Double Extortion: Many of these groups not only encrypt data but also threaten to leak stolen information if ransom demands aren't met.
4. Phishing and Social Engineering: These remain common initial access vectors for ransomware attacks, and victims are still “one click away” or one phone call away from compromise.
How We're Protecting You
We further validated these findings by the alerts we regularly see on the firewalls and endpoints we monitor, and the activity we proactively block. We employ several technologies and processes to address them:
1. Proactive Vulnerability Defense: Our firewalls are loaded with specific detection and blocking rules for 16 of the 17 identified firewall-related CVEs, preventing exploit attempts at the network level before they even have a chance to succeed. We have further notified and requested a signature for one additional network CVE that the vendor has not yet published.
2. Behavioral Analysis: For the three remaining CVEs that would not traverse the firewall, we detect and block the tactics these groups use on hosts and local networks, stopping attacks before any ransomware payload is detonated, relying upon endpoint, anomaly detection, correlation and AI instead of only static signatures that simply cannot keep up with the threat landscape. This is also how we primarily detect the “Living off the Land” tools these actors collectively use. (see table at bottom)
3. Continuous Monitoring: Our 24/7 Security Operations Center (SOC) is always on guard, creating custom signatures for active campaigns and adapting to new threats in real-time, catching and isolating threats before they manifest, including threats that might evade our other protections.
4. Continuous Updates: We're constantly updating our threat intelligence and adjusting our firewall policies and configurations to stay ahead of the bad guys.
Real-World Impact
These measures have proven effective. In the past four years, our team has:
· Detected and quarantined 16 targeted ransomware files, with a 100% prevention rate.
· Blocked approximately 150 targeted ransomware network intrusions.
· Have never had a customer impacted by ransomware under our watch.
Staying Vigilant
While we're proud of these results, we know the threat landscape is constantly evolving. That's why we remain committed to:
· Ongoing analysis of emerging threats
· Regular updates to our protection measures
· Providing timely, actionable information to our clients
· Constantly improving our SOC effectiveness through ongoing training, certifications, and technology optimization
We're here to help you understand these threats and how they might affect you. If you have any questions about ransomware or our protection measures, please don't hesitate to contact your designated Virtual CISO™.
For immediate assistance, contact us at:
staysafeonline@trustedinternet.io or call 800-853-6431
Table A:
Vendor,CVE,Product Apache,CVE-2023-46747,Struts Cisco,CVE-2024-26169,IOS XE Cisco,CVE-2023-20269,IOS XE Citrix,CVE-2023-4966,ADC and Gateway Citrix,CVE-2023-32315,ADC and Gateway ConnectWise,CVE-2023-48788,ScreenConnect ConnectWise,CVE-2024-1709,ScreenConnect ConnectWise,CVE-2024-1708,ScreenConnect IBM,CVE-2024-22333,"Maximo Application Suite, Maximo Asset Management" Ivanti,CVE-2024-4577,"Connect Secure and Policy Secure" Microsoft,CVE-2022-41082,Exchange Server Microsoft,CVE-2022-41040,Exchange Server Microsoft,CVE-2022-30190,Windows Support Diagnostic Tool (MSDT) Microsoft,CVE-2020-1472,Windows Server Microsoft,CVE-2021-34523,Exchange Server Microsoft,CVE-2021-34473,Exchange Server Microsoft,CVE-2023-0199,Office Progress Software,CVE-2023-35081,MOVEit Transfer Progress Software,CVE-2023-35078,MOVEit Transfer Progress Software,CVE-2023-34362,MOVEit Transfer
Table B:
AngryIPScanner: A free IP address scanner that can be used to scan for IPs in a given range.
AnyDesk: A remote desktop application that allows users to connect to their devices remotely.
PowerShell: A task automation framework from Microsoft consisting of a command-line shell and scripting language.
PsExec: A Sysinternals tool that allows execution of processes on remote systems.
RDP: Remote Desktop Protocol, a protocol that provides a graphical interface for connecting to another computer.
TeamViewer: A remote access and remote control computer software for remote maintenance and support.
WMI: Windows Management Instrumentation, a set of specifications for consolidating the management of devices and applications in a network.
nmap: A network scanning tool used to discover hosts and services on a computer network by sending packets and analyzing responses.