Ransomware payments significantly decreased in 2024, falling 35% to ~$813.55 million, as more victims refused to pay. Despite a higher number of victims being posted on ransomware gang leak sites, fewer organizations yielded to extortion demands. This shift indicates a growing resistance to paying ransoms, potentially driven by improved data recovery strategies and law enforcement efforts.
The report underscores the evolving landscape of ransomware attacks, with a focus on victim empowerment through refusal to pay. It also suggests that while the number of attacks may remain high, the financial success of ransomware operations is diminishing, signaling a potential change in attacker tactics.
The Russian-speaking cybercrime gang known as Crazy Evil has been observed using various social media scams to trick victims into installing malware like StealC, AMOS (Atomic macOS Stealer), and Angel Drainer. These attacks focus on identity theft and financial fraud, targeting cryptocurrency users in particular. The sophistication of their lures and the diverse malware employed indicate a well-resourced and organized operation.
US and Dutch authorities have seized 39 domains and servers linked to the HeartSender cybercrime group, based in Pakistan. This group, also known as Saim Raza and Manipulators Team, was known for selling hacking and fraud tools. The coordinated law enforcement operation aimed to disrupt the network’s activities, which had caused over $3 million in victim losses.
The HeartSender network had been active since at least 2020, providing malicious software and phishing toolkits to transnational organized crime groups. These tools were marketed as “fully undetectable” and were used for various cybercrimes, including business email compromise (BEC) attacks, identity theft, and credential harvesting. The seizure marks a significant step in combating cybercrime and protecting potential victims from financial losses.
The New York Blood Center Enterprises (NYBC), a vital organization responsible for supplying blood and blood products to hospitals across the region, has fallen victim to a ransomware attack. The incident has significantly disrupted its IT systems, forcing the organization to implement emergency measures while cybersecurity experts work to prevent the threat.
Tata Technologies, an Indian IT services company, experienced a ransomware attack which caused the temporary suspension of some of its IT services. The company is actively investigating the incident and taking steps to restore services. The details regarding the specific ransomware variant used and the extent of data exfiltration are still under investigation. The impact of this incident on the company’s operations and clients remains to be seen.
Ransomware attacks surged to a record high in December 2024, with 574 incidents reported. FunkSec, a newly identified group combining hacktivism and cybercrime, accounted for over 100 attacks, making it the most active group that month. The attacks targeted the industrial sector and used a variety of ransomware techniques. This highlights a surge of cyberattacks.
A Pakistan-based cybercrime group, HeartSender (aka Saim Raza and Manipulators Team), was disrupted by a joint operation between U.S. and Dutch authorities. 39 domains and servers linked to the group, known for selling hacking and fraud tools, were seized. This group generated millions in revenue selling malware and fraud tools to transnational organized crime groups, mainly focused on BEC attacks.
The Phorpiex botnet is now being used to distribute LockBit ransomware through compromised websites and phishing emails. This new attack vector demonstrates the botnet’s evolving capabilities and the automation of ransomware delivery. This is a significant shift from Phorpiex’s previous activities, posing a greater threat to organizations and individuals worldwide. This shows the growing trend of botnets being used for ransomware attacks
UnitedHealth Group has confirmed a massive data breach, stemming from a ransomware attack on its subsidiary, Change Healthcare, in February 2024. This breach has impacted approximately 190 million Americans, nearly doubling the initial estimate, making it one of the largest healthcare data breaches in US history. This incident underscores the significant cybersecurity risks in the healthcare sector and the vulnerability of large healthcare organizations.
Ransomware groups are exploiting VMware ESXi hypervisors using SSH tunneling to maintain stealthy access. Attackers are leveraging known vulnerabilities or stolen admin credentials to infiltrate ESXi instances and then use built-in SSH service for lateral movement and ransomware deployment. This allows the attackers to remain undetected while encrypting virtual environments.
HellCat and Morpheus, two ransomware-as-a-service (RaaS) operations, have been observed using identical payloads to target victims. The payloads use Windows Cryptographic Application Programming Interface (CAPI) to encrypt data, and both ransomware operations direct victims to use Tor browsers and provided credentials to access their respective .onion portals. Researchers believe that the overlap in tactics and payloads is likely due to a connection between the two groups. The use of similar tools and tactics suggests a collaboration between HellCat and Morpheus or a shared origin, which is a cause for concern for security professionals, as it indicates a potential for increased sophistication and impact of ransomware attacks.