In October, ransomware activity remained high with active campaigns from groups such as RansomHub, Akira, and Fog. These groups continue to diversify their targeting with renewed interest in high-impact sectors like Manufacturing, Technology, and Healthcare. Newly disclosed firewall vulnerabilities further emphasize the urgency of proactive patching, particularly for external-facing systems, as ransomware groups increasingly exploit public-facing infrastructure. These developments underscore the evolving threat landscape and the critical need for vigilance as ransomware groups refine their tactics and expand their reach.
In October, ransomware attacks were most prevalent in Manufacturing, Technology, and Healthcare, with these sectors facing sustained targeting by threat actors. This continued focus illustrates the high operational impact and critical data sensitivity within these industries, making them attractive to ransomware operators. Additionally, Construction & Engineering and Professional Services saw notable activity, reflecting an ongoing diversification in ransomware targeting as threat actors expand their reach across various high-value sectors.
In October, the ransomware landscape experienced significant developments, notably with the Qilin and Akira groups. Both groups' leak sites went offline early in the month but resumed operations later, introducing enhanced capabilities.
Qilin: The Qilin ransomware group released a new variant, Qilin.B, featuring advanced encryption methods and improved evasion techniques. This variant supports AES-256-CTR encryption for systems with AESNI capabilities and continues to use ChaCha20 for systems without this support. Additionally, it employs RSA-4096 with OAEP padding to protect encryption keys, preventing unauthorized decryption.
Akira: The Akira ransomware group resumed encryption activities in October after a period of focusing primarily on data exfiltration. This shift marks a return to their double extortion tactics, combining data theft with file encryption to increase pressure on victims. This recent activity highlights Akira’s ongoing adjustments to its methods to enhance impact.
Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.
Fortinet Vulnerability (CVE-2024-23113): A critical flaw affecting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb systems, allowing unauthenticated remote code execution (RCE). Exploitation of this vulnerability can lead to full system compromise. ·
Palo Alto Networks Expedition Vulnerabilities: Multiple vulnerabilities identified in the Palo Alto Networks Expedition tool, primarily affecting internal servers. While these systems are typically not exposed externally, exploitation could lead to unauthorized access and potential data breaches.
Firewalls are a critical component of any organization’s network security, serving as the first line of defense by managing and filtering network traffic. However, reliance on a single layer of defense is not enough; recent exploitation of firewall vulnerabilities underscores the need for a defense-in-depth approach. Threat actors have increasingly targeted known vulnerabilities in major firewall systems like Fortinet, Palo Alto Networks, and SonicWall to bypass protections and gain unauthorized access.
In addition to external-facing access controls, proper management of local accounts on firewalls is essential. Recent cases have shown that these accounts, often left enabled with minimal security by third-party providers or SMB environments with limited resources, can provide an easy foothold for attackers. Without proper hardening or oversight, unsecured local accounts expose networks to heightened risk, enabling lateral movement and privilege escalation once attackers gain entry. To strengthen firewall resilience, organizations should consider a layered security approach, including:
Regular Patching – Keep firewall systems up to date with the latest security patches to address known vulnerabilities.
Multi-Factor Authentication (MFA) –Implement MFA for accessing firewall management interfaces, adding an extra layer of security against unauthorized access.
Strict Access Management – Limit access to firewall settings to only essential personnel and enforce strong authentication protocols.
Manage Local Accounts – Disable or secure local accounts, especially those configured by third parties, to prevent unauthorized access through unsecured credentials.
Network Segmentation – Divide the network into segments to minimize potential lateral movement if a firewall is compromised. Ensure that your management network isn’t easily accessible if an attacker gained access to the network
Active Monitoring and Logging – Regularly monitor firewall logs for unusual activity to support threats. We also recommend firewall log retention to be set for a year to ensure that you can have the artifacts needed for investigations.
RansomHub emerged as a ransomware-as-a-service (RaaS) in early 2024 and has quickly become the most widely used ransomware service on the threat landscape. RansomHub’s unique payment model offers threat actors a 90% commission on paid ransoms, making it especially attractive compared to other ransomware services. For more details, check out the MOXFIVE RansomHub Threat Actor Spotlight here.
Akira has remained one of the most active ransomware groups throughout 2024, targeting a range of industries and offering a "deliverable menu” of paid services, including decryptors and data deletion options. In October, Akira reintroduced file encryption into its attacks and refined its tactics to enhance operational impact. For more details, check out the MOXFIVE Akira Threat Actor Spotlight here.
Fog is a new ransomware variant first observed in Q2 2024, with MOXFIVE assisting in one of the earliest recorded incidents. Initially focused on the Education sector, Fog has recently expanded its attacks to include multiple sectors, primarily Manufacturing and Healthcare. For more details, check out the MOXFIVE Fog Threat Actor Spotlight here.