Since the start of the new year, companies across the country have witnessed ransomware attacks from notorious threat actors Medusa, LockBit, and ALPHV/BlackCat standing out above the others. There have been at least 50 known attacks accounted for during the past three and a half months, approximately 25% under what the United States saw this time the year prior. Although the statistics are showing to be in our favor, ransomware attacks are still a very prominent threat to businesses and corporations everywhere.
Recent Attacks
From government infrastructures to energy services and transportation, a wide range of cities from New York to California have had to halt operations due to ransomware attacks. Change Healthcare, a major healthcare technology provider for the United States, suffered two attacks just weeks apart from threat actors ALPHV/BlackCat and then by ransomware gang RansomHub. The sensitive data exfiltrated by the groups included medical records and financial information belonging to US military personnel and patients.
LockBit, the highest performing ransomware gang so far in 2024, has made over 30 attacks against various U.S. sectors since the beginning of the year, with a focus in the education and retail industries. After some arrests were made in February from international law enforcement, some of the eCrime group’s infrastructure had been seized. Unfortunately, the threat actor group saw this as only a mere setback and were found relaunching their operation less than a week later, taking the lead on the most ransomware attacks from one group against the country thus far.
During the month of March, the East Coast noticed what seemed to be a string of attacks against government facilities within days of each other. Birmingham, Alabama discovered a disruption of its computer network on the sixth of March shutting down services such as the 311-call center. Huntsville, Alabama being next on the 10th, was forced to shut services down across the town due to an attack. No threat actors have stepped up to claim either of the attacks against the cities in Alabama, but they are currently under investigation.
Pensacola, Florida was hit only eight days later with Henry County, Illinois being four days after that. The Medusa ransomware gang took credit against the attack on Illinois, giving the victims eight days to pay a $500,000 ransom. Tarrant County Appraisal District in Texas confirmed they were victims of an attack on the 21st by Medusa and were told they had to pay $700,000 in ransom. Jackson County, Missouri, was forced to declare a state of emergency after their services were disrupted on the 28th due to an unknown threat actor infiltrating their IT systems.
Who is LockBit?
From financial services to manufacturing and healthcare sectors, LockBit ransomware is most notable for their wide array of tactics, techniques, and procedures (TTPs) allowing them to extort critical infrastructures globally. By constantly modifying the TTPs the eCrime group utilizes to deploy and execute ransomware, unsuspecting victims have a hard time staying up to date on security defenses to protect themselves. Known for attacks against some of world’s largest multinational financial institutions and leading technology firms, LockBit has stayed on the top of CISA’s advisory list as being the most deployed ransomware-as-a-service over the past two years.
Who is ALPHV/BlackCat?
Commonly victimizing the healthcare sector, ALPHV/BlackCat ransomware group reaches to encrypt both Windows and Linux devices by using advanced social engineering techniques. Posing as most commonly IT staff for the victim’s company, the threat actors gain credentials from the employees which are then used to access their network and deploy remote access software to exfiltrate data. ALPHV/BlackCat can steer away from detection by downloading applications such as Metasploit on the domain controller and deleting their traces in the logs on the exchange server afterwards.
Who is Medusa?
Appearing in the cyber realm for the first time in June of 2021 as a ransomware-as-a-service threat actor group, Medusa has grown substantially over the years eliciting companies with their double extortion method. By threatening to release the stolen data if the victims do not pay the ransom, they are not only encrypting the infiltrated systems but are extorting victims twice by compromising sensitive data. With the eCrime group’s primary motive being financial gain, the sectors they attack vary from corporate victims to technology companies with easily exploitable vulnerabilities.
What To Expect Moving Forward
We can expect ransomware trends to pick up as the year progresses, following right under the statistics from 2023. As the more sophisticated threat actors continue to revise their attack methods and gain more confidence, we will undoubtedly see new eCrime groups make their appearance causing chaos in new and unique ways. Thanks to CISA, advisories and rewards for aiding in the takedown of actors such as the ones listed above, are available for our viewing and are recommended for all to read.
Mitigation Techniques
Implementing secure remote access tools and application controls should aid in preventing the installation of anything your organization does not want or need, called allowlisting. Antivirus tools are never completely trusted on their own, as like anything, service disruptions happen so by using a combination of applications the odds are stacked more in your favor. Endpoint detection and response (EDR) applications are extremely useful when it comes to detection for malicious or unwanted traffic. For this type of monitoring and more, explore the tools we offer at DefendEdge under “Our Services”.
Detecting ransomware can be tricky, but by ensuring that your organization is up to date on security training and is aware of the security posture, the risk can be mitigated. If you or someone you know has been a victim of a ransomware attack, remember to not pay the ransom as this encourages the threat actors to continue their attacks, financial gain is almost always their main motive.