In the first half of 2024, the digital security landscape was drastically affected by several ransomware that hit companies and users worldwide. According to a report developed by Verizon , cyberattacks exploiting user vulnerabilities increased by 180% in 2023, as is the case with ransomware. These attacks are mainly carried out by highly organized groups, responsible for more than half of digital breach .
A recent report highlighted six main groups that have dominated the cyber threat landscape, with LockBit 3.0 remaining the biggest threat. Although a police operation interfered with this group's activities, they remain the most active in the ransomware .
According to a bulletin published by ISH Tecnologia ransomware groups , including LockBit and AlphV (or Black Cat ), have become targets of police operations worldwide. However, the space left by the groups dismantled by these operations ends up being occupied by new groups, which adopt new and more sophisticated tactics.
ransomware groups raises fundamental questions about companies' preparedness to address these risks. Consequently, many organizations underestimate the threat posed by ransomware , resulting in security vulnerabilities that are exploited by cybercriminals .
The main ransomware groups in 2024
As mentioned above, LockBit ransomware groups in 2024. The group registered 325 victims in the first half of this year alone, demonstrating resilience and adaptability in the face of changes in the cybersecurity landscape. The group's decentralized structure, coupled with its innovative attack tactics, makes LockBit a significant threat.
ISH Tecnologia ransomware groups :
- Quilong Group : Possibly of Asian origin, but operates significantly in Brazil. Recently, it became notorious for leaking intimate and personal photos of companies in the aesthetics and health sectors , causing a major impact on the lives of these users. The attack took place in April 2024, where the group disclosed details of the malicious activity on its Dark Web . They claimed to possess sensitive images belonging to companies that failed to pay the ransom within the stipulated timeframe and that attempts to contact the victims were ignored.
- Arcus Media Group : Like Quilong, it has prioritized operations in Brazil. This group uses double extortion , blocking access to data and threatening to leak information. The main focus of these cybercriminals are retail, education, and technology companies, causing considerable impact.
These specialized groups use more sophisticated hacking and extortion techniques, encrypting victims' confidential data and demanding payment in cryptocurrencies to restore access. Thus, the impact of these actions goes beyond financial losses, also affecting the reputation and operations of companies. As these groups continue to innovate and evolve their tactics, the challenges of combating these threats become even more complex.
Competition between these groups creates an environment of immense pressure on companies to improve their cyber defenses. Therefore, the most vulnerable organizations are those that neglect basic security practices, such as software updates , multi-factor authentication , and the implementation of strong passwords .
What is Ransomware as a Service (RaaS)?
One of the significant factors behind the increase in ransomware in Brazil is the advent and accessibility of Ransomware as a Service (RaaS) . This tool operates like a franchise, allowing a central syndicate to develop ransomware and rent them to the group's affiliates. This system has democratized high-risk digital extortion, allowing new cybercriminals from all over the world, with minimal investment, to launch highly devastating cyberattacks.
This collaborative approach increases the frequency of ransomware attacks, expanding their reach and effectiveness, victimizing all types of people, including large corporations. In other words, affiliates of the group encrypt the victim's data, demand a ransom payment for the return of the data, and share the profits with the provider.
The role of artificial intelligence in defending against ransomware
Artificial intelligence ( AI) helps combat ransomware by proactively detecting malicious behavior, analyzing large volumes of data to identify suspicious patterns, such as rapid file encryption . Furthermore, AI can automate incident response , isolate compromised devices, and restore files from secure backups. Using machine learning, AI recognizes new types of malware, analyzes logs to detect threats, and can even predict future attacks based on trends. When integrated into security systems, AI becomes an effective tool for preventing, mitigating, and quickly responding to ransomware attacks.
The application of AI in post-attack incident analysis is another of its benefits. Tools of this type can trace the origin of the attack and map the exploited vulnerabilities, allowing the company to adjust its defenses and prevent future incidents. With its continuous learning capacity, AI can adapt to new threats more dynamically, becoming a fundamental part of a robust cybersecurity .
Ransomware attack against Costa Rica
Although there is no single specific victim for a ransomware , incidents that have made headlines have demonstrated how large organizations have suffered significant losses. One example is a cyberattack carried out by the Conti group against Costa Rica , causing significant delays in the country's public administration and financial operations.
national emergency was declared , and the government refused to pay the ransom, which was initially $10 million , later increased to $20 million . Costa Rica lost up to $30 million a day due to this cyberattack.
Given this, we can understand how this type of attack can be damaging, even to the most prepared organizations. Therefore, the need for more robust protection tools becomes a priority.
LockBit 3.0: The most active group
In 2024, LockBit 3.0 was the most active group in ransomware , surpassing its competition with an impressive number of successful attacks. Its approach is primarily based on a Ransomware as a Service (RaaS) , in which affiliates have access to the group's infrastructure to conduct their own attacks. This structure allows the group to expand daily and operate in a decentralized manner, making it difficult for authorities to track and contain it. According to US security authorities, Lockbit has targeted over 1,700 companies across nearly every market sector.
Among the most publicized attacks claimed by the group, we can mention:
- The National Aerospace Laboratories (NAL) of India has leaked eight allegedly stolen documents, including confidential letters, an employee's passport, and other documents .
The group's main tactic is double extortion . In addition to encrypting victims' data, the group also threatens to leak confidential information if the ransom is not paid. This strategy has proven effective for the group, causing many companies to give in to their demands to avoid exposing sensitive data.
Even after police action focused on weakening the group , LockBit demonstrated an impressive capacity for recovery. This raises significant concerns about the effectiveness of legal interventions in disrupting these operations. The group continues to evolve constantly, implementing new tools and strategies to stay ahead of corporate defenses.
LockBit 3.0 operations following police intervention
LockBit 's activities , the group demonstrated a remarkable capacity for recovery. There was a slowdown in their activities after the intervention, but the group managed to quickly return to full operation. Their agile adaptation to cybersecurity vulnerabilities and their new tracking evasion techniques allowed LockBit 3.0 to maintain its operations without disruption.
Furthermore, the decentralization of its activities contributed considerably to its survival in the market. Affiliates in various parts of the world continued to launch attacks under the LockBit , keeping the group's name active and relevant.
Thus, this operational model not only eliminates risk but also allows cybercriminals to align themselves without relying on a centralized leadership structure. The group's survival, even after police action, demonstrates the difficulty in combating ransomware cybersecurity tools is fundamental to proactively detecting and mitigating these threats.
Other relevant groups in the ransomware landscape
Although LockBit ransomware groups have played significant roles in the 2024 landscape. AlphV (or Black Cat ), for example, is notoriously known for its attacks targeting large corporations and also for its use of advanced data exfiltration .
Clop group , in turn, is highly prominent in exploiting vulnerabilities in widely used software, such as MOVEit Transfer , resulting in large data breaches.
Another group that has gained notoriety for successful attacks is Royal . That is, this group focuses on high-profile targets and generally demands substantial ransom payments. Their attacks include sophisticated tactics against critical infrastructure systems, drawing the attention of authorities and cybersecurity .
Vice Society group focuses its attacks on the education sector, causing significant disruptions to the operations of educational institutions. Along with Play , these groups represent a constant threat to companies of all sizes. Thus, thanks to the diversification of attack methods and the specialization of the cybercriminals ransomware landscape is very dynamic and unpredictable, making it crucial for companies to adopt more efficient tools and remain vigilant.
Full list of the most active groups
In 2023, the Information and Cyber Security Secretariat of the Institutional Security Office of the Presidency of the Republic conducted a quantitative survey and analysis of cyber threats , most active ransomware groups
LockBit 3.0
Ransomware as a Service (RaaS) model , LockBit offers ransomware and an attack infrastructure to all its affiliates, who can execute attacks and share the profits. This group targets various sectors, including energy , manufacturing , government , education , and healthcare , representing a very serious threat.
Law enforcement authorities in the United States and the United Kingdom seized websites used by the group to coordinate attacks, as well as the servers used in the operations.
Black Basta
Black Basta is a group that began operating in early 2022, supposedly derived from a cybercriminal that had already attacked numerous individuals and countries, and was known for its financial impact. This means that Black Basta have a great deal of skill and experience from the start, which made their debut anything but subtle.
The group quickly established a formidable reputation in the cybercrime double extortion tactics . Last year, the group was responsible for extorting at least $107 million in Bitcoin . Some of the group's main attacks include:
- American Dental Association (ADA) : In April 2022, the ADA suffered an attack from the Black Basta group, which encrypted its systems and stole sensitive data, disrupting its operations and leaking information online.
- Deutsche Windtechnik : Also in April 2022, Deutsche Windtechnik was attacked by the same group, forcing the company to disable its remote control systems, affecting the monitoring of its wind turbines.
- Sobeys (Empire Company) : In November 2022, the Sobeys supermarket chain was severely impacted by a Black Basta attack, disrupting operations at several stores and harming its supply chain.
Black Cat
Black Cat group , also known as Noberus or AlphV , emerged in 2021 and is likely formed by former members of Darkside , which attacked Colonial Pipeline . The ransomware used by the group targets Linux and Windows triple extortion strategy , including ransom for file decryption, a promise not to leak the data, and prevention of distributed denial-of-service attacks.
According to FBI , the group victimized over a thousand people worldwide, operating under the Ransomware as a Service (RaaS) . One of their most notable attacks was against Oiltanking GmbH 1.6 terabytes were stolen . This data was then sold by the group, demonstrating their double extortion . Thus, the group gained notoriety through robust attacks such as:
- Swissport (2022): Swissport suffered an attack by the BlackCat group, disrupting flight dispatch services and causing delays at airports.
- Moncler (2021): Moncler was attacked by BlackCat, who encrypted data and threatened to release it. After the company refused to pay the ransom, they published some of the information on the dark web.
- Western Digital (2023): Western Digital was a victim of BlackCat in 2023, which claimed to have stolen confidential data and demanded a ransom to prevent its disclosure.
After the company refused to pay the ransom, they published some of the information on the dark web.
Clop
The Clop group is known for its sophisticated extortion schemes. This organization is notorious in the cybercrime ransomware attacks that encrypt data and add the .clop to files.
This group targets financial institutions , critical infrastructure providers healthcare organizations , and even educational institutions . Recently, the group allegedly stole data from numerous organizations worldwide, including government entities. Victims of the attack included the New York City public school and even British Airways and the BBC .
The main incidents related to the group are:
Incident at the University of Miami (2020) : The Clop hacker group broke into the University of Miami, compromising the personal information of students and staff. They demanded a payment in cryptocurrency, threatening to make the data public if the ransom was not paid.
Attack on Hyundai (2021): Clop attacked one of Hyundai's subsidiaries, resulting in an information leak that affected both customers and employees.
US government agencies (2023): Clop infiltrated several US government agencies, exploiting the vulnerability to infect computers with malware, steal data, and then demand a ransom.
REvil
REvil group Ransomware as a Service (RaaS) model , with affiliates using this ransomware to attack individuals and companies. Thus, the group gained notoriety for attacks on high-profile victims, such as Apple . They also run a marketplace on the Dark Web , where they threaten to leak stolen data when ransoms are not paid. Their most significant attacks were:
Attack on JBS Foods (2021): REvil attacked JBS, resulting in the shutdown of several factories. The company paid a ransom of approximately $11 million to prevent the disclosure of data.
Attack on Kaseya (2021): In July 2021, REvil compromised the Kaseya platform, affecting approximately 1,500 organizations globally and demanding a ransom of $70 million.
Attack on Acer (2021): The group attacked Acer, demanding a ransom of $50 million by exploiting a vulnerability in its systems.
What do these numbers mean for businesses and users?
The rise of ransomware groups and the increase in the number of attacks mean that companies and users face ever-increasing risks. In other words, this ransomware model, adopted by groups like LockBit 3.0 , allows people with limited resources and basic skills to launch devastating attacks, increasing the pressure on companies to invest in cybersecurity .
Beyond the financial impact, companies also face the risk of exposure of confidential data , which, depending on the sector, can be drastic. The loss of trust from customers and business partners can cause even greater damage than financial losses, since the organization's credibility will be seriously compromised. Research by Security Report revealed that companies lose up to 7% of their market value after a cyber incident. A recent IBM report revealed that financial losses from cyberattacks worldwide are expected to reach US$10.5 trillion annually by 2025.
Therefore, the numbers indicate an urgent need for action . Companies and users must adopt preventive measures and strengthen their cyber defenses against this growing threat. Furthermore, education and awareness of good security practices are fundamental to reducing vulnerabilities in the face of these attacks.
Growing risk for businesses
Thus, the risks to businesses stemming from ransomware attacks have increased exponentially in 2024. Companies that suffer such attacks face significant disruptions to their operations, resulting in direct and indirect financial losses. Furthermore, the nature of ransomware attacks, which involves the encryption of critical information , can also completely paralyze an organization until payment is made.
Cybercriminals double or triple extortion method , in which not only is payment demanded for data blocking, but there is also a threat of disclosing confidential information or a promise of new attacks if the ransom is not paid.
Furthermore, there is a huge impact on long-term strategic planning . When proactive measures are not taken to protect against ransomware, companies risk losing their competitiveness in the market , as these attacks can compromise new product development, consumer trust, and innovation.
Data loss and financial loss
The loss of valuable information is one of the main consequences of a ransomware attack. For many organizations, data represents a most important asset , and its loss can mean not only financial losses but also the paralysis of operations . In 2024, ransomware attacks resulted in millions of dollars in losses , either due to the interruption of operations or the payment of ransoms.
Thus, the exposure of sensitive data also generates severe legal implications, especially in regulated sectors such as finance and healthcare. In other words, failing to comply with data protection regulations can result in substantial fines and lawsuits, damaging the company's reputation.
It's important to remember that financial losses aren't limited to just paying the ransom. There are additional costs, such as hiring security specialists , implementing new systems, and communicating with affected customers. Furthermore, there may be compensation claims for those whose information was compromised due to the cyberattack.
Damaged reputation
Just like financial losses, one of the less tangible, but also devastating consequences, is the impact on the company's reputation . In an increasingly digital world, customer trust in the company's ability to protect information is fundamental to business success. For this reason, any data breach can have a major impact on the organization's credibility .
Furthermore, companies that suffer attacks face the immediate loss of trust from customers, investors, and partners. In some cases, it can also lead to the loss of important contracts and even brand devaluation , since recovery after a cyberattack is a long and costly process.
Sectors most affected
In 2024, some sectors stood out as preferred targets for ransomware attacks. The healthcare sector is one of the most affected, likely due to the amount of sensitive data stored and the urgency of its operations. For this reason, hospitals and clinics are frequently forced to pay ransoms to ensure that data remains confidential and operations continue.
The education sector is another area that has been severely affected, as schools and universities store an immense amount of information about students and staff, making them attractive targets for cybercriminals . The financial and infrastructure sectors are also among the most targeted. Due to the large volume of monetary transactions and highly confidential data, financial services companies are lucrative targets. Critical infrastructure , such as energy and transportation, also has high value due to the importance of its services for the functioning of society as a whole.
How to protect yourself against ransomware attacks?
Protection against ransomware attacks requires a multi-layered approach, involving the adoption of advanced security technologies and the implementation of best data management . Thus, one of the main pillars of the defense strategy against this type of attack is prevention , which can be achieved with efficient cybersecurity practices, such as the use of firewalls , antivirus software EDR solutions .
Furthermore, the education and training of your employees are fundamental. Often, ransomware attacks are initiated by human error , such as opening fake emails or downloading malicious files. Therefore, implementing regular training on best practices in digital security helps to significantly reduce risk and vulnerabilities within the network and devices.
Regular data backup is a highly effective measure. Maintaining up-to-date backups stored in a secure environment allows companies to minimize damage caused by an attack, enabling them to recover quickly without having to pay a ransom.
Good safety practices
Implementing good security practices is essential for preventing ransomware attacks. This starts with maintaining the systems and software used by the company, since vulnerabilities in outdated systems are one of the main entry points for cybercriminals.
The use of multifactor authentication is another important practice. Adding a layer of protection beyond the password makes unauthorized access to systems more difficult, even if credentials are compromised. Furthermore, it's necessary to develop passwords with this in mind, making them strong and avoiding simple or repeated combinations.
Therefore, network segmentation is another strategy that can help minimize damage in the event of an intrusion. Dividing the network into different zones allows limiting cybercriminals' access to more critical systems, isolating problems more efficiently and preventing them from spreading throughout the infrastructure.
Regular backups
As mentioned, maintaining regular backups is an effective strategy to mitigate the damage from a ransomware attack. Backups will allow the company to recover its data without having to pay a ransom if a cyberattack occurs.
Therefore, backups need to be performed frequently and automatically to ensure that all critical information is stored. Furthermore, these backups should be stored in locations isolated from the main network , ensuring that cybercriminals cannot access them during an attack.
The use of incremental backups , which capture only the changes made, is also highly recommended. In addition to saving time, this saves storage space and ensures that even the most recent data is protected.
Strong passwords
Using strong passwords is a simple and effective way to protect systems against ransomware attacks. Weak passwords are the first point of entry for cybercriminals, making it necessary for companies to establish a password policy that requires more complex combinations.
Furthermore, it is important for the company to implement a policy of changing passwords periodically , preferably every quarter. This will reduce the risk of the system failing to detect a compromised password for an extended period.
Software update
Software updates are developed to keep these tools protected even in the face of new threats. Therefore, keeping software updated is one of the most important practices for preventing cyberattacks, as cybercriminals frequently exploit vulnerabilities in outdated software to access systems and networks.
Therefore, all critical applications used by the company must be updated, including operating systems, security tools, browsers, management software, productivity tools, and databases. In other words, it is important to implement automatic update policies to ensure that all fixes are applied without delay. Updates should be tested in controlled environments before being applied across the network to avoid conflicts and compatibility issues.
Security solutions
The use of more comprehensive security solutions is one of the main factors in ransomware protection strategy. It is crucial that companies implement a combination of various strategies, such as antivirus , firewalls EDR solutions , to ensure that all layers are protected. In this way, the tools work together to detect and block attack attempts before they compromise systems.
EDR solutions are particularly effective in combating this type of cyber threat because they offer a detailed view of network devices and behaviors. This allows for the early detection of suspicious activity and also isolates compromised devices to prevent the attack from spreading.
Antivirus
Antivirus software is one of the oldest tools used to protect systems and devices. As an essential defense against ransomware, modern antivirus programs are capable of detecting a wide variety of malware by scanning files and processes in real time.
Therefore, it is essential that the software be configured to perform regular automatic checks of the company's system. Furthermore, this ensures the rapid identification of any threat and its neutralization before it causes significant damage to the organization.
Enterprise- grade antivirus software offers additional protection, such as behavior-based detection systems and integration with other security tools. Thus, more robust solutions provide an extra layer of protection against sophisticated threats, helping to keep the business safe.
firewall
Firewalls play an indispensable role in protecting against ransomware attacks, allowing companies to control network traffic and block unauthorized communication attempts. By monitoring inbound and outbound traffic, firewalls can prevent ransomware from communicating with command servers, disrupting operations before they can cause problems .
The firewall is also quite effective at limiting lateral movement within the network, a common technique used by cybercriminals to spread across different devices. Therefore, configuring firewall rules can help isolate critical systems and prevent the spread of an attack.
Like any other tool, firewalls must be kept up-to-date and configured , complemented by other security solutions such as intrusion detection and prevention systems.
EDR ( Endpoint Detection and Response )
Thus, with the increasing sophistication of cyber threats, technology solutions have needed to undergo an upgrade process to remain effective. EDR are one of the best technologies to combat ransomware. Furthermore, these solutions provide real-time visibility into everything happening on the device and network, allowing companies to detect suspicious activity more quickly. EDR provides a detailed view of processes and behaviors at each endpoint.
Furthermore, one of the greatest advantages of this tool is its responsiveness . Upon detecting a threat, the system can immediately isolate the compromised device, preventing the ransomware from spreading across the network. In addition to mitigating the impact of an attack, this strategy allows for a rapid response before the damage becomes irreversible.
The urgent need for proactive action
Now that we understand how damaging the increasing number of ransomware attacks in 2024 is, it is imperative that companies adopt a proactive stance in defending against these threats. Therefore, a reactive approach is ineffective in mitigating ransomware risks; cybersecurity should be viewed as a strategic investment, not an expense.
A reactive approach is ineffective in mitigating ransomware risks; cybersecurity should be viewed as a strategic investment, not an expense.
To prepare adequately, companies need to implement more robust security and continuously train their employees. Security is everyone's responsibility , and a safety culture should be encouraged to reduce exposure risks.
Ongoing collaboration between businesses, governments, and experts is also crucial to combating the growing sophistication of ransomware groups. Only through a collective and coordinated approach is it possible to effectively confront this threat posed by cybercriminal .
The role of international collaboration in combating ransomware
Combating ransomware requires international collaboration between governments, businesses, and cybersecurity experts. The transnational nature of these attacks, with various groups operating from countries with little or no cybersecurity regulation, makes it crucial that defense efforts are coordinated globally .
In recent years, we have observed an increase in cooperation between law enforcement agencies and governments of different countries to address this problem. An example of this was the operation that dismantled part of LockBit 3.0 , weakening the group for a certain period of time. However, many cybercriminal are able to restructure quickly, changing jurisdictions or using decentralized infrastructures. These characteristics make combating ransomware extremely difficult and laborious, and only international collaboration can determine a more positive future in the fight against these cyber threats.
