For the first quarter of 2024, ransomware incidents reported to the NJCCIC consisted of Akira, LockBit, and Play ransomware. There was a sharp increase in Akira ransomware attacks, particularly after the LockBit ransomware group’s takedown. Akira ransomware operators are known for their sophisticated attacks, especially against US healthcare organizations. However, after the takedown, LockBit quickly relaunched operations to stay active and focused on targeting government agencies and critical infrastructure organizations, including healthcare. Also, cyberattacks targeting ConnectWise ScreenConnect vulnerabilities were linked to both LockBit and Play ransomware. Although existing ransomware groups continue their efforts, new ransomware gangs have initiated operations in 2024.
The top attack vectors for ransomware are phishing, compromising valid accounts, and external remote services. Threat actors are using artificial intelligence at an increased rate to generate targeted and sophisticated phishing campaigns and launch successful, profitable ransomware attacks. They also exploited vulnerabilities to infiltrate systems and networks, as predicted in the mass exploitation of technologies supporting hybrid and remote work and enterprise third-party file transfer solutions, such as virtual private networks (VPNs), cloud-based storage, and multi-factor authentication (MFA) tools.
Ransomware remains a prevalent threat as extortion tactics continue and evolve to pressure victim organizations to pay the ransom. Threat actors used extortion tactics, such as denying access to encrypted files, stealing data, and threatening a data breach by posting on public ransomware leak sites or releasing the stolen data to regulators, clients, or patients.
If you have questions or need assistance, contact a member of the BMT team.