September 2024 highlighted the diversity within the ransomware threat landscape. Established groups like Akira and BianLian remained active, alongside threat actors deploying Ransomware-as-a-Service (RaaS) operations like RansomHub and Rhysida. In addition to these dominant players, there was some activity spotted from Cl0p, a group known for one of the most widespread cyber-attacks of 2023 with the MOVEit exploit campaign. This month also saw the introduction of a new player in the threat landscape, INTERLOCK ransomware.
During September, ransomware trends aligned closely with the broader 2024 patterns, with Healthcare and Manufacturing remaining the most frequently targeted sectors. This continued focus reflects the persistent challenges these industries face against ransomware. Additionally, MOXFIVE assisted with a number of emerging cases in the Automobile industry, highlighting an expanding range of targets as threat actors deploying ransomware diversify their targeting.
INTERLOCK is a newly identified ransomware variant that surfaced in late September 2024 and has initially targeted organizations in the Healthcare sector. On September 30th, MOXFIVE released a Threat Actor Alert covering our initial findings based on our experience with this variant. The sophisticated tactics observed in these attacks suggest that the threat actors behind this ransomware are likely comprised of experienced individuals.
Initial access is suspected to be gained by an exploited vulnerability. The threat actor(s) target virtual machines (VMs), leaving workstations and physical servers untouched. They also establish command-and-control (C2) through a scheduled task over an anonymized network using a reverse shell to communicate with the infected machine. Additional tools known to be used by the threat actor(s) include AnyDesk for remote connectivity and WinSCP for data exfiltration. MOXFIVE is continuing to monitor for attacks involving this ransomware variant and will continue to share updates as new information is unveiled.
Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.
CVE-2024-40766 is a critical access control vulnerability affecting SonicWall SSL-VPN appliances, disclosed in August 2024. It allows unauthorized access, which has been exploited by ransomware groups like Akira, to infiltrate networks. SonicWall has released a security advisory urging prompt patching due to the severity of the flaw.
Patching vulnerabilities is a foundational practice in cybersecurity that plays a crucial role in protecting organizations from ransomware and other cyber threats. Threat actors commonly exploit unpatched vulnerabilities to gain unauthorized access, especially in critical systems exposed to the internet. By keeping applications and systems up-to-date, organizations can close these security gaps and significantly reduce the risk of attacks.
A clear example of the importance of timely patching is the recent SonicWall SSL-VPN vulnerability (CVE-2024-40766). While a patch was released in August, which included updating firmware, SonicWall also recommended changing all associated passwords, enabling multifactor authentication (MFA), and disabling local or administrator accounts. Organizations were further advised to authenticate via Security Assertion Markup Language (SAML) with MFA, which enhances security by centralizing login processes and reducing dependency on local accounts. The Akira ransomware group, in particular, exploited this vulnerability in late August and September, underscoring the critical need to promptly apply patches and follow best practices for securing systems when vulnerabilities are disclosed.
BianLian is a ransomware group that emerged in 2022 and has rapidly gained notoriety for its highly targeted attacks on critical infrastructure. The group originally employed encryption-based tactics but has since shifted to data exfiltration and extortion, leveraging the threat of public exposure of sensitive data to coerce organizations into paying large ransoms. Check out the MOXFIVE Threat Actor Spotlight highlighting BianLian here.
Cl0p is a RaaS operation most known for the MOVEit exploit campaign in 2023, where the group leveraged the vulnerability CVE-2023-34362 to breach over a hundred organizations. Although activity involving Cl0p has been significantly lower this year compared to 2023, recent cases involving this ransomware indicate that they are still worth monitoring in the threat landscape.
MetaEncryptor first emerged in August 2022 and has been linked to multiple ransomware attacks. The group reportedly rebranded to LostTrust in 2023 due to significant code overlap. However, activity from LostTrust has not been observed since late 2023, while MetaEncryptor has continued targeting several organizations.