RansomHub Surpasses LockBit as Leading Ransomware Group – Latest Insights

RansomHub has emerged as the leading ransomware operation in terms of successful attacks, according to the latest Symantec report. This growth highlights the evolving landscape of cyber threats.

RansomHub has officially taken the top position among ransomware operations, boasting the highest number of claimed successful attacks. This information is highlighted in Symantec’s recent threat intelligence report for Q3 2024, titled Ransomware: Threat Level Remains High in Third Quarter, which is founded on an analysis of various leak sites.

During this quarter, threat actors claimed a total of 1,255 attacks, a slight decrease from 1,325 in Q2. Nonetheless, Symantec cautioned that the overall trend shows an uptick in attacks.

RansomHub, which only became operational in February of this year, clinched the top spot for Q3 with 191 victims listed on leak sites, marking a 155% increase from the previous quarter’s figures.

According to Symantec, “The group’s rapid rise may be explained by its success in recruiting experienced affiliates for its ransomware-as-a-service model, reportedly offering more attractive terms compared to its competitors.”

For further insights, read more on ransomware: Ransomware Attack Demands Reach a Staggering $5.2m in 2024.

The rise of RansomHub appears to have come at the expense of LockBit, which previously recorded three times more successful attacks than its nearest competitor, Qilin, in the second quarter. LockBit’s activity plummeted by 88% from Q2 to Q3, resulting in only 188 data leak posts during this period, based on Symantec’s data.

The report elaborated that “LockBit was the focus of an international law enforcement operation in February 2024, which disrupted its activity levels in the first quarter.”

“By the second quarter, it appeared to recover completely, yet the operation may have led to diminished trust among LockBit’s affiliates, especially since authorities indicated they had accumulated information that might identify these affiliates.”

On a more positive note, Qilin’s situation is improving, with a 44% increase in victim count, reaching 140 in Q3.

Symantec also highlighted the differences between publicly reported attacks and the actual ransomware activity that their threat researchers analyzed. For instance, LockBit represented just 7% of the attacks examined by Symantec in Q3 but claimed 15%, while RansomHub’s figures were 33% and 15%, respectively.

This discrepancy for RansomHub might be attributed to the fact that not every victim ends up on ransomware leak sites, particularly if they settle their ransom demands promptly.

The Most Popular Ransomware Tools

In its report, Symantec identified the four most common tools and techniques leveraged by ransomware groups in Q3:

• Living off the land: Utilizing native Windows utilities for lateral movement and executing commands discreetly without triggering alarms.
• Bring your own vulnerable driver (BYOD): Attackers employ a signed vulnerable driver for kernel access, enabling them to terminate security software processes; typically deployed alongside a malicious executable for command issuance.
• Remote desktop/admin: Legitimate tools such as RDP, AnyDesk, Splashtop, and ScreenConnect are misused to establish backdoor access to victims’ systems.
• Data exfiltration: Prior to encryption (double extortion), data theft has become prevalent in ransomware attacks, with Rclone being the most popular tool for exfiltration. Other remote admin software also possesses capabilities for data theft.

Image credit: Sue Thatcher / Shutterstock.com