What To Expect From Ransomware Groups in 2024

Security professionals spend a lot of time thinking about ransomware and ransomware groups: how to avoid it, what data they manage that could be compromised, and what slimy trick will be used next. Ransomware specialists believe that as cyber-defenses become more difficult to bypass in the coming year, cybercriminals will modify their techniques and targets. Additionally, security professionals warn that mobile endpoints will become more appealing targets and those previous vulnerabilities, including Log4j, will continue to serve as entry points into networks for ransomware attacks. What follows is a compilation of discussions from professionals on what to look out for and how to create a successful ransomware prevention and mitigation strategy for 2024.

Be prepared to encounter more devious ransom threats in the coming year. Ransomware groups use the data they steal in very strategic, and sometimes personal ways to put pressure on individuals and companies to pay ransom. There have been incidents where sensitive and personal information about children stolen from school districts was sent to their parents directly. Recently, the BlackCat group reported its own attack to the SEC as a pressure tactic. The days of ransomware groups encrypting data and demanding ransoms are over. Double extortion has become a common tactic and ransomware groups are going beyond releasing stolen data online.

One threat research team provided one example of how attacks evolve. It was discovered in a case in which associates of the same ransomware-as-a-service (RaaS) group were targeting the same company. Groups were stepping on each other because one affiliate was focused on low and sluggish exfiltration hoping for a large extortion payout, whereas the other affiliate was using a more “smash-and-grab” approach to expose the first. However, it demonstrates how widespread the threats can become.

Ransomware may experience a recession in 2024, as more countries are pledging to pay the ransom, and fewer companies are yielding to the pressure of encrypted systems, preferring to allocate funds to rebuilding systems rather than decrypting them. Ransomware operators are beginning to have cash flow issues, making it difficult to keep up with their resource-intensive attacks. There’s an anticipation of a larger transition to high-pressure data extortion attacks, ransomware will continue to exist, shifting its focus to a consumer or small business target base where threat actors have significant influence. However, given that ransom demands against SMBs are likely to be lower than those against company victims, it’s evident that ransomware is about to evolve.

Another threat to be aware of in 2024 is mobile ransomware. People are sometimes deceived into downloading mobile ransomware using social networking tactics, believing they’re downloading innocent information or crucial software. According to a global mobile threat report, there was a 51% increase in the total number of unique mobile malware samples year-over-year and it’s realistic to expect it to continue. In 2023, countries agreed at the Counter Ransomware Initiative that governments shouldn’t pay ransom. Australia has stated that prohibiting ransom payments is “inevitable”. Some U.S. states have taken the step, of prohibiting their governments from paying ransoms. More countries are looking at the ransom approach as a means of combating cybercrime.

Security professionals want to forget about prior vulnerabilities, including Log4j, because they’re generally associated with a terrible event. However, it’s exactly what threat actors target. Even though numerous patches are available from well-known vendors, and security companies have produced various signatures to cover, it remains one of the most serious supply chain vulnerabilities uncovered. Because of its position in the supply chain, continual discovery in new areas, and terrible continued implementation of new code, it’s worth threat operators’ attention. One threat data indicates that Log4j-related attacks could increase by 10% year-over-year between 2022 and 2023. It’s expected to be a bigger increase by the end of 2024.

With the computer network getting stronger, cybercriminals will shift their focus from obtaining credentials (such as passwords) to targeting the “back door,” or account recovery procedures. One example is that a cybercriminal inputs wrong information into an account five times. The account recovery process will begin. Suppose the process includes calling a help hotline or answering security questions online. In that case, threat operators may be able to obtain information needed to breach their way in by browsing social media. It has happened already, however, in 2024, there will be an increase in cybercriminals targeting account recovery methods to compromise credentials.

Most companies have numerous inactive, dormant brand domains that aren’t monitored regularly, and many domains are owned by unaffiliated third parties for malicious purposes. Threat actors keep the dormant domain names inactive for months or years, connecting them to an MX domain record and leaving them alone until they’re ready to launch cyberattacks, including targeted phishing and malware distribution campaigns. Given how many companies don’t control their whole brand-affiliated domain portfolio, it’s predicted that there will be many more dormant domains used in phishing and malware-focused attacks in 2024.

Almost 80% of IT professionals believe that bots are becoming more sophisticated and difficult to identify using their security technologies. Advanced bots designed to scalp footwear and electronics are repurposed and made freely accessible to anyone willing to commit fraud. The threat operator community has attained economies of scale, and it’s never been easier to conduct complex cyberattacks without the previously required knowledge. Advanced bots will boost digital fraud and abuse, including more high-profile, successful account takeover attacks and money laundering operations.

The complexity and interconnection of current software and hardware supply chains make them prime targets for cybercriminals and state-sponsored threat operators. There have been already prominent examples, including SolarWinds and Kaseya incidents, in which threat operators exploited widely used software to enter numerous companies simultaneously. It’s being predicted that the trend of targeting suppliers rather than direct targets will continue, making supply chain security a major concern for companies. With the potential for the attacks to have a large impact, affecting numerous companies, expect the regulators and customers to put more pressure on supply chain security. As a result, supply chain security regulations and compliance requirements will be stricter, forcing companies to conduct more thorough due diligence on their vendors.

With the first two months of 2024 in the books, more ransomware groups, current or new, will be looking to evolve their current tactics or develop new techniques to target high-profile companies. Companies need to remain ahead of the latest threat landscape and regularly update their networks’ security infrastructures to prevent potential vulnerabilities. SpearTip focuses on the people behind cyberattacks and is prepared to stop them. The SpearTip team works tirelessly to defend organizations, livelihoods, shareholder value, jobs, reputations, brands, and most importantly, companies. Our Security Operations Center remains staffed 24/7/365, working in a continuous investigative cycle to respond to unwarranted intrusions at a moment’s notice. Within minutes of engagement, SpearTip can respond to the breach and reclaim networks within hours. The ShadowSpear Platform is an integrable security solution with the combined capabilities of SIEM, AV, MDR, anti-phishing tools, and much more. Our SOC provides companies with a team of experienced professionals, 24/7/365 monitoring and threat remediation, and a proven cybersecurity tool dedicated to ensuring threat actors never establish a foothold in their environment. Our ShadowSpear Platform is a proven resource that protects against cyber threats and attacks impacting your organization. The Software-as-a-Service (SaaS) architecture Platform optimizes visibility without intensive and overbearing resource requirements. ShadowSpear is lightweight, stable, and able to enhance the cyber posture of any organization.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.