Corvus Insurance has released its Q3 2024 Cyber Threat Report, highlighting a shift in ransomware attack tactics, with nearly 30% of incidents linked to vulnerabilities in virtual private networks (VPNs) and weak passwords.
The report indicates that outdated software and inadequate protection on VPN accounts contributed significantly to ransomware incidents. Accounts using common usernames like "admin" or "user" and lacking multi-factor authentication (MFA) were particularly susceptible to brute-force attacks, where attackers exploit publicly accessible systems by testing weak credentials.
Data from ransomware leak sites revealed 1,257 attacks in Q3, a slight increase from the 1,248 recorded in Q2. Five groups – RansomHub, PLAY, LockBit 3.0, MEOW, and Hunters International – were responsible for 40% of the quarter’s attacks.
Among these, RansomHub was the most active, with 195 victims, a 160% rise compared to Q2. LockBit 3.0 saw a decline in activity, dropping from 208 victims in Q2 to 91 in Q3.
Despite the concentration of attacks among a few groups, the ransomware ecosystem continued to expand, with 59 groups identified by the end of Q3. The emergence of new players, such as RansomHub, demonstrates the dynamic nature of the ecosystem.
Following law enforcement’s takedown of LockBit in Q1, RansomHub quickly gained prominence, claiming over 290 victims across various sectors in 2024.
The construction industry remained the most targeted sector in Q3, with 83 reported ransomware attacks, up 7.8% from the 77 incidents in Q2. Groups like RansomHub continued to focus on infrastructure-related businesses. The healthcare sector also experienced increased activity, with 53 reported attacks, a 12.8% rise from 42 in Q2.
Jason Rebholz (pictured above), chief information security officer at Corvus, emphasized the importance of bolstering security measures.
“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN," he said. "Businesses must strengthen defenses with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”
What are your thoughts on this story? Please feel free to share your comments below.
