In the first half of 2024, the digital security scenario was drastically affected by several ransomware that hit companies and users worldwide. According to the report developed by Verizon , cyber attacks that exploit user vulnerabilities increased by 180% by 2023, such as ransomware. These attacks are carried out mainly by extremely organized groups, responsible for more than half of digital distortion .
A recent report highlighted six main groups that dominated the landscape of cyber threats, and Lockbit 3.0 remains the biggest threat. Although a police operation has interfered with the activities of this group, they remain the most active in the ransomware .
According to the Bulletin published by ISH Tecnologia ransomware groups , including Lockbit and AlphV (or Black Cat ), have become targets of police operations worldwide. However, the space left by the groups dismembered by operations is occupied by new groups, which adopt new and more sophisticated tactical.
ransomware groups raises fundamental issues about the readiness of companies to face these risks. Thus, several organizations underestimate the threat represented by ransomware , resulting in safety failures that are exploited by cybercriminals .
The main ransomware groups in 2024
As we said above, Lockbit ransomware group list in 2024. The group recorded 325 victims only in the first half of this year, with resilience and adaptability to changes in the cyber security scenario. The decentralized structure of this group, coupled with its innovative attack tactics, makes Lockbit a significant threat.
Ish Tecnologia ransomware groups :
- Quilong Group : Possible Asian origin, but operates significantly in Brazil. Recently became notorious by the leakage of intimate and personal photos of companies in the branch of aesthetics and health , having a great impact on the lives of these users. The attack was held in April 2024, where the group released details of malicious activity on its page on the Dark Web . They claimed to have sensitive images belonging to companies that failed to pay the amount of the rescue within the stipulated deadline and that attempts to contact the victims were ignored.
- Arcus Media Group : Like kilong, it has prioritized operations in Brazil. double extortion tactics , causing blocking data access and threatening the leakage of information. The biggest focus of these cybercriminals is retail, education and technology companies, causing considerable impacts.
cryptocurrency payment to return access. Thus, the impact of these actions goes beyond financial losses, also impacting the reputation and operation of companies. As these groups continue to innovate and evolve their tactics, the challenges to combat these threats become even more complex.
The competition between these groups creates an environment of immense pressure on companies to improve their cyber defenses. Thus, the most vulnerable organizations are those that neglect basic safety practices such as software update , multifactorial authentication and strong password implementation .
What is ransomware as a service (raas)?
One of the significant factors behind the increase in ransomware in Brazil is the advent and accessibility of ransomware as a service (raas) . This tool operates as a franchise, allowing a central union to develop ransomware and rent them to the group's affiliates. This system brought democratization to high -risk digital extortion, allowing new cybercriminals from all over and with minimal investment to launch very devastating cyber attacks.
This collaborative approach increases the frequency of ransomware attacks , expanding their reach and effectiveness, making victims of all kinds, including large companies. That is, group affiliates encrypting the victim's data, require a redemption payment for the return of data, sharing profits with the provider.
The role of artificial intelligence in defense against ransomware
Artificial Intelligence ( AI) helps to combat ransomware by proactive detection of malicious behaviors, analyzing large data volumes to identify suspicious patterns such as fast file encrypting . In addition, AI can automate incident responses , isolate committed devices, and restore secure backup files. Using machine learning, AI recognizes new types of malware, analyzes logs to detect threats and may even predict future trends -based attacks. When integrated into security systems, AI becomes an effective tool for preventing, mitigating and responding to ransomware attacks.
The application of AI in the analysis of post-attack incidents is another of its benefits. Tools of this type can trace the origin of the attack and map the exploited vulnerability points, allowing the company to adjust its defenses and avoid future incidents. With its continuous learning ability, AI can adapt to new threats more dynamically, becoming a fundamental part of a robust cybersecurity .
Ransomware attack against Costa Rica
Although there is no specific victim for a ransomware , the incidents who won the headlines demonstrated how large organizations suffered significant damage. An example of this was a cyber attack executed by the Conti group against Costa Rica , causing significant delay in public administration and financial operations in the country.
It was declared national emergency and the government refused to pay the ransom, which was initially $ 10 million , later elevated to 20 million . Costa Rica lost 30 million a day due to this cyber attack.
Given this, we can understand how this type of attack can be harmful, even for the most prepared organizations. Thus, the need for more robust protective tools becomes a priority.
Lockbit 3.0: The most active group
In 2024, Lockbit 3.0 has been the most active group in ransomware , surpassing their competition with the impressive number of successful attacks. Its approach is mainly based on a ransomware model as a service (raaa) , in which affiliates have access to the group's infrastructure to conduct their own attacks. That is, this structure allows the group to expand daily and operate in a decentralized manner, making it difficult to track and contain the authorities. According to United States security officials, Lockbit has reached more than 1,700 companies in almost all sectors of the market.
Among the most publicized attacks that were claimed by the group, we can mention:
- Leakage Aerospace Laboratories (NAL) of India , with the publication of eight allegedly stolen documents, including confidential letters, passport from a employee and other documents.
The main tactic used by the group is the double extortion . In addition to encrypting victims data, the group also threatens to leak the confidential information if the rescue is not paid. This strategy has been effective for the group, causing many companies to give in to their requirements to prevent sensitive data exposure.
Even after the police action that focused on the weakening of the group , Lockbit demonstrated an impressive recovery capacity. This raises significant concerns about the effectiveness of legal interventions in the interruption of these operations. The group continues to evolve constantly, implementing new tools and strategies to stay ahead of corporate defenses.
LOCKBIT 3.0 operations after police intervention
Lockbit 's activities , the group demonstrated a major recovery capacity. There was a slowdown in its activities after the intervention, but the group managed to operate again in full force quickly. Its agile adaptation to cyber security failures and new tracking evasion techniques allowed Lockbit 3.0 to maintain its operations without prejudice.
In addition, the decentralization of its activities contributed considerably to its survival in the market. Affiliates in various parts of the world continued to launch attacks under the Lockbit , maintaining the name of the group active and relevant.
Thus, this model of action not only does not require risk, but also allows cybercriminals to align without depending on a centralized leadership structure. ransomware groups like this. Its global nature and decentralization complicate the authorities' response power and require more effective and complete international collaboration. In addition, it demonstrates how the implementation of cybersecurity is critical to detecting and mitigating these threats proactively.
Other relevant groups in the ransomware scenario
Although Lockbit is the most notorious group, other ransomware have played significant roles in the 2024 scenario. AlphV (or Black Cat ), for example, is notoriously recognized for its attacks aimed at large corporations and also the use of advanced data exiltration .
CLOP group , in turn, is highlighted in the exploration of vulnerabilities in widely used software, such as Moveit Transfer , resulting in large data leaks.
Another group that has gained notoriety for successful attacks is Royal . That is, the focus of this group is targets of high relevance and usually require payment of substantial redemptions. Their attacks include sophisticated tactics against critical infrastructure systems, drawing the attention of authorities and cybersecurity .
Vice Society Group concentrates its attacks in the education sector, causing significant interruptions in the operations of educational institutions. Together with Play , these groups represent a constant threat to companies of all sizes. Thus, thanks to the diversification of the attack methods and the specialization of the cybercriminals ransomware scenario is very dynamic and unpredictable, and it is essential that companies adopt more efficient tools and remain vigilant.
Full list of the most active groups
In the year 2023, the Secretariat of Information and Cybernetics of the Presidency of the Republic Institutional Security Office conducted a quantitative research and analysis of cyber threats , ransomware groups :
LOCKBIT 3.0
Operating under the ransomware model AS A Service (RAAS) , Lockbit offers ransomware and attack infrastructure for all your affiliates, who can perform attacks and divide profits. This group targets several sectors, including energy , manufacturing , government , education and health , representing a very serious threat.
Police authorities from the United States and the United Kingdom seized sites that the group used to coordinate the attacks and also the servers used in operations.
Black is enough
Black enough is a group that began operating in early 2022, allegedly derived from the cybercriminals that had already attacked several names and countries, and was known for the financial impact it caused. This means that Black members just have a lot of capacity and experience from the beginning, which made their debut not subtle.
The group quickly established a formidable reputation in the middle of cybercrime double extortion tactics . Last year, the group was responsible for extorting at least $ 107 million in Bitcoin . Some of the group's main attacks:
- American Dental Association (ADA) : In April 2022, ADA suffered an attack by the Black Group, which encrypted its systems and stole sensitive data, interrupting its operations and leaking information online.
- Deutsche Windtechnik : Also in April 2022, Deutsche Windtechnik was attacked by the same group, forcing the company to disable its remote control systems, affecting the monitoring of its wind turbines.
- Sobeys (Empire Company) : In November 2022, the Sobeys supermarket chain was severely affected by a Black attack just, interrupting operations in multiple stores and damaging its supply chain.
Black Cat
Black Cat group , also known as Noberus or AlphV , emerged in 2021 and is probably made up of former Darkside , who attacked the colonial pipeline . The ransomware used by the group targets Linux and Windows triple extortion strategy , including file decryptography rescue, promise of non -leakage, and disregarding distributed denial attack.
According to FBI , the group made more than a thousand victims worldwide, operating under the ransomware model as a service (raas) . One of his most notable attacks was against the GMBH OILTANKING , where there was 1.6 Terabyte of confidential data. double extortion tactics . Thus, the group gained notoriety through robust attacks, such as:
- Swissport (2022): Swissport suffered an attack by the Blackcat group, interrupting flight dispatch services and causing delays at airports.
- Moncler (2021): Moncler was attacked by Blackcat, who encrypted data and threatened to publicize them. After the company refused to pay the ransom, they published some of the information on the Dark Web.
- Western Digital (2023): Western Digital was a victim of Blackcat in 2023, which claimed to have stolen confidential data and required a rescue to avoid disclosure.
After the company refused to pay the ransom, they published some of the information on the Dark Web.
Clop
The CLOP group is known for its sophisticated extortion schemes. cybercrime market ransomware attacks that encrypt the data and adds the .clop to files.
This group focuses on financial institutions , critical infrastructure providers , large companies, health and even educational institutions . Recently, the group allegedly stole data from various organizations worldwide, including government entities. New York City Public School System and even British Airways and the BBC .
The main incidents related to the group are:
Incident at the University of Miami (2020) : The hacker group CLOP has invaded the University of Miami, compromising the personal information of students and collaborators. They demanded a payment on cryptocurrencies, threatening to make public the data if the rescue was not performed.
Attack on Hyundai (2021): CLOP attacked one of Hyundai's subsidiaries, resulting in a leakage of information that affected both customers and employees.
US Government Agencies (2023): CLOP has invaded several US government agencies, using vulnerability to infect malware computers, stealing data and then requiring a reward.
Revil
Revil Group operates under the same model as Ransomware as Service (RaS) , causing affiliates to use this ransomware to attack individuals and companies. Thus, the group gained popularity for attacks on high profile victims, such as Apple . They also manage a market on the Dark Web , where they threaten to leak stolen data when ransoms are not paid. His most significant attacks were:
Attack on JBS Foods (2021): Revil attacked JBS, resulting in the stoppage of various factories. The company has paid a redemption of approximately $ 11 million to avoid disclosure of data.
Attack on Kaseya (2021): In July 2021, Revil compromised the Kaseya platform, affecting about 1,500 organizations globally requiring a $ 70 million rescue.
Acer Attack (2021): The group attacked Acer, requiring a $ 50 million rescue by exploring a vulnerability in their systems.
What do these numbers mean to companies and users?
The rise of ransomware groups and the increase in the number of attacks mean companies and users face increasing risks. That is, this ransomware model, adopted by groups such as Lockbit 3.0 , allows people with limited resources and basic skills to launch devastating attacks, increasing pressure on companies to invest in cybersecurity .
In addition to the financial impact, companies also face the risk of confidential data exposure , which, depending on the sector, can be drastic. Loss of customers and business partners can cause even greater damage than financial losses, as the organization's credibility will be seriously impaired. Security Report survey revealed that companies lose up to 7% of their market value after a cyber incident. A recent IBM report revealed that financial losses with cyber attacks around the world should reach $ 10.5 trillion annually by 2025
Thus, the numbers indicate an urgent need for action . Companies and users should adopt preventive measures and strengthen their cyber defenses against this growing threat. In addition, education and awareness about good safety practices are fundamental to reduce vulnerabilities in the face of these attacks.
Increasing risk to business
Thus, the risks to business arising from ransomware attacks have increased exponentially in 2024. Companies that suffer such attacks face significant interruptions in their operations, resulting in direct and indirect financial losses. In addition, the nature of ransomware attacks, which involves the encryption of critical information , can also completely stop an organization until payment is made.
Cybercriminals double or triple extortion method , in which there is not only the requirement to pay for data blockages, but also the threat of disclosure of confidential information or the promise of new attacks if the rescue is not paid .
In addition, there is a huge impact on companies' long -term strategic planning When proactive measures are not taken to protect themselves against ransomware, companies face the risk of losing their market competitiveness as these attacks can compromise new product development, consumer confidence and innovation.
Data and Financial Loss
Loss of valuable information is one of the main consequences of a ransomware attack. For many organizations, data represent a more important asset , and loss can mean not only financial losses but also the stoppage of operations . By 2024, ransomware attacks resulted in millions of dollars in losses , either due to the interruption of operations or the payment of redemptions.
Thus, the exposure of sensitive data also generates severe legal implications, especially in regulated sectors such as finance and health. That is, failing to comply with data protection rules may result in substantial fines and lawsuits, impairing the company's reputation.
It is important to remember that financial losses are not just limited to redemption payment. There are additional costs such as hiring security experts , implementing new systems and communication with affected clients. In addition, there may be compensation for those whose information has been committed to the cyber attack.
Damaged
Like financial losses, one of the least tangible but also devastating consequences, is the impact on the company's reputation . In the increasingly digital world, customer confidence in the company's ability to protect information is critical to business success. For this reason, any data violation can have a major impact on the organization's credibility .
In addition, companies that suffer attacks face the immediate loss of trust by customers, investors and partners. In some cases, it may also occur the loss of important contracts and even the devaluation of the brand , as recovery after a cyber attack is a long and costly process.
Most affected sectors
In 2024, some sectors stood out as preferred targets of ransomware attacks. The health sector is one of the most affected, probably due to the amount of sensitive data that is stored and the urgency of its operations. For this reason, hospitals and clinics are often forced to pay the redemption to ensure that the data is kept confidential and that operations continue.
The education sector is another hard area, as schools and universities store an immense amount of information about students and employees, becoming attractive targets for cybercriminals . The financial and infrastructure sector is also among the most targeted. Due to the large volume of monetary transactions and highly confidential data, financial services companies are profitable targets. Critical infrastructures , such as energy and transportation, also have high value due to the importance of their services for the functioning of society as a whole.
How to protect yourself against ransomware attacks?
Protection against ransomware attacks requires an approach in several layers, involving the adoption of advanced security technologies data management practices . Thus, one of the main pillars of the defense strategy against this type of attack is prevention , which can be achieved with efficient cyber safety practices, such as the use of Firewalls , Antiviruses EDR (Endpoint Detection and Response) solutions
In addition, the education and training of its employees are fundamental. Often ransomware attacks are started based on a human error , such as opening fake emails or downloading malicious files. Thus, the implementation of regular training on good digital safety practices helps significantly reduce risk and vulnerabilities within the network and devices.
Regular data backup is a very effective measure. Thus, keeping backups updated and stored in a safe environment allows companies to minimize damage caused by an attack, being able to recover quickly without the need for redemption payment.
Good safety practices
The implementation of good safety practices is indispensable for preventing ransomware attacks. This begins with the maintenance of the company's systems and software, as vulnerabilities in outdated systems are one of the main entry doors for cybercriminals.
The use of multifactorial authentication is another important practice. Adding a protective layer beyond the password makes unauthorized access to systems difficult, even if credentials are compromised. In addition, passwords are required with this care, making them strong and avoiding simple or repeated combinations.
Thus, network segmentation is another strategy that can help minimize damage in case of invasion. Dividing the network into different zones allows you to limit cybercriminals access to more critical systems, isolating problems more efficiently and preventing them from spreading throughout the infrastructure.
Regular backups
As mentioned, maintaining regular backups is an effective strategy for mitigating the damage to a ransomware attack. Backup will allow a cyber attack to occur, the company will be able to recover its data without the need for redemption payment.
Thus, backups need to be performed frequently and automated to ensure that all critical information is stored. In addition, these backups should be stored in isolated locations from the main network , ensuring that cybercriminals cannot access them during an attack.
The use of incremental backups , which capture only the changes made, is also well recommended. In addition to optimizing time, this saves storage space and ensures that the latest data is also protected.
Strong passwords
Using strong passwords is a simple and effective way to protect systems from ransomware attacks. Weak passwords are the first entry point for cybercriminals, and the company must establish a password policy that requires more complex combinations.
In addition, it is important that the company implements a periodic password exchange policy , preferably every quarter. This will reduce the risk of the system not to detect a password compromised for a long time.
Software Update
Software updates are designed for these tools to remain protected even in the face of new threats. Thus, keeping software updated is one of the most important practices for preventing cyber attacks, as cybercriminals often explore outdated software vulnerabilities to access systems and networks.
Therefore, all critical applications used by the company must be updated, including operating systems, security tools, browsers, management software, productivity tools and databases. That is, it is important to implement automatic update policies to ensure that all corrections are applied without delay. Updates must be tested in controlled environments before they are applied across the network to avoid conflicts and compatibility problems.
Security Solutions
The use of broader security solutions is one of the main factors in the ransomware protection strategy. It is crucial that companies implement a combination of various strategies, such as antiviruses , firewalls EDR solutions , to ensure that all layers are protected. In this way, tools act together to detect and block attack attempts before compromising systems.
EDR solutions are particularly effective in combating this kind of cyber threat as they offer a detailed view of network devices and behaviors. This allows early detection of suspicious activities and also isolate committed devices to prevent the spread of the attack.
Antivirus
Antiviruses are one of the oldest tools used to protect systems and devices . Being an essential defense against ransomware, modern antiviruses are able to detect a wide variety of malware , scanning real -time files and processes.
Therefore, it is essential that the software is configured to perform regular automatic checks of the company's system. In addition, this ensures the rapid identification of any threat and its neutralization before causing significant damage to the organization.
Business level antiviruses offer additional protection, such as behavioral detection systems and integration with other safety tools. Thus, more robust solutions provide an extra layer of protection against sophisticated threats, helping to keep the company protected.
firewall
Firewalls play an indispensable role in protecting ransomware attacks, allowing the company to control network traffic and block unauthorized communication attempts. By monitoring input and output traffic, firewalls can prevent ransomware from communicating with command servers by interrupting the operation before it can cause problems.
Firewall is also quite effective in limiting lateral movement within the network, a common technique used by cybercriminals to spread through different devices. Thus, configuration of firewall rules can help to isolate critical systems and prevent the spread of an attack.
Like any other tool, firewalls should be kept updated and configured , complemented by other safety solutions, such as intrusive and prevention detection systems.
EDR ( Endpoint Detection and Response )
Thus, with increasing sophistication of cyber threats, technology solutions had to undergo an update process to remain efficient. EDR solutions are one of the best technologies to combat ransomware. In addition, these solutions provide real -time visibility about everything that is happening on the device and the network, allowing companies to detect suspicious activities faster. EDR provides a detailed view of processes and behaviors at each end point.
In addition, one of the biggest advantages of this tool is its response capacity . Given the detection of a threat, the system can immediately isolate the compromised device, preventing ransomware from spreading through the network. In addition to mitigating the impact of an attack, this strategy allows a quick response before damage become irreversible.
The urgent need for proactive action
Now that we understand how the growing number of ransomware attacks by 2024 is harmful, it is imperative that companies adopt a proactive defense posture against these threats. Thus, a reactive approach is ineffective in mitigating the risks of ransomware; Cyber security should be seen as a strategic investment, not an expense.
A reactive approach is ineffective in mitigating the risks of ransomware; Cyber security should be seen as a strategic investment, not an expense.
To prepare properly, companies need to implement more robust safety and continually train their employees. Safety is everyone's responsibility , and safety culture should be encouraged to reduce exposure risks.
Continuous collaboration between companies, governments and experts is also crucial to combating the growing sophistication of ransomware groups. Only through a collective and coordinated approach is it possible to effectively face this threat represented by cybercriminals .
The role of international collaboration in combating ransomware
Combating ransomware requires international collaboration between governments, companies and cybersecurity experts. The transnational character of such attacks, with various groups operating from countries where there are little or no cyber regulations, makes it crucial that defense efforts are coordinated globally .
In recent years, we have observed an increase in cooperation between police agencies and governments from different countries to face this problem. An example of this was the operation that dismantled part of Lockbit 3.0 , weakening the group over a certain period of time. However, many groups of cybercriminals can quickly restructure, changing jurisdiction or using decentralized infrastructures. These characteristics make the fight against ransomware extremely difficult and laborious, and only international collaboration can determine a more positive future in combating these cyber threats.
