Major industrial organisations were hit by ransomware attacks again in July, while experts suspect that perpetrators are increasingly confident that law enforcement will not intervene.

Of the 395 ransomware attacks claimed by criminals last month, more than a third (125, or 34 percent) targeted critical industrial organizations, NCC Group said today. According to the firm’s figures, the industrial sector has been the most targeted by ransomware since 2021.

“Organizations within CNI provide essential services to society, making them valuable targets. Ransomware attacks pressure these targets to pay and exploit their need to remain operational,” the researchers’ report said.

“Additionally, the increased interconnectedness between operational technology and IT has expanded the attack surface, creating more potential entry points for ransomware attacks.”

Followers of infosec news over the past year might think that healthcare would be at the top of the list, given the multiple catastrophes at companies like Change Healthcare and Synnovis. Those in the industrials sector were far more likely to be targeted, however, recording nearly three times as many attacks as the next-worst-hit consumer discretionary sector.

Critical sector providers were previously considered unreachable by many ransomware criminals, given the police intervention in Darkside following the Colonial Pipeline attack.

As WithSecure noted today in its new H1 2024 Threat Report, there was a general perception that there was a line criminals wouldn’t dare cross, for fear that they too would face the same pressure from U.S. authorities as Darkside. For example, some groups vowed never to target hospitals again, though that didn’t last long.

But that belief has waned, WithSecure says, and it was last year. Criminals no longer hesitate to go after the most critical targets, even against the backdrop of multiple major takedowns in the past year.

These takedowns, particularly of LockBit and ALPHV, have strengthened other groups. For example, Medusa had never posted more than 20 victims to its leak blog in a single month until LockBit went down.

Organizations like Qilin, Hunters International, RansomHub and basically every other group have also reported an increase in reports since the two ransomware giants of recent years were shut down.

Somewhat confusingly, despite every other group benefiting from law enforcement’s actions, the total number of victims claimed has dropped year-over-year, and in the past quarter the numbers have also dropped, suggesting that fighting back is having the desired effect. It’s a slow process, admittedly, but it does seem to be moving in the right direction.

“It is almost certain that law enforcement actions have had a significant impact on the ransomware ecosystem,” WithSecure said. “While it is too early to draw conclusions about their long-term effectiveness, there has been a clear, positive impact in the short term.”

NCC Group saw a similar downward trend towards mid-2024, but was less certain whether it would continue. There was a 20 percent increase in claimed ransomware victims in July (395) compared to June (329), but the number is still significantly lower than the months between February and May.

Monthly Registered Ransomware Attacks, 2023 and 2024. Courtesy of NCC Group – click to enlarge

“Whether this increase reflects the start of an upward trend remains to be seen. We will continue to monitor such activity,” NCC Group said.

Criminals latch on to info thieves

The trend seen last year, of ransomware criminals using infostealer malware on a much larger scale, will continue well into 2024, the researchers noted.

IBM X-Force saw a huge increase in the use of infostealers in 2023, a year that saw many new infostealers hit the market and a subsequent surge in attacks launched using valid credentials.

SpyCloud research from last year found that of the 2,613 ransomware samples it investigated, 30 percent involved the use of credentials harvested early by infostealer malware. More than three-quarters of these (76 percent) were the work of Racoon Stealer, whose source code LockBit attempted to buy.

Initial access brokers (IABs), in addition to their other activities, play an important role in the trade of these credentials. Often, these are the criminals who abuse infostealers the most.

“(IABs) enable ransomware attacks by allowing these groups to focus less on facilitating initial access and more on finding partners and improving their malware,” NCC Group said.

“In terms of corporate risk, we have seen that infostealers play a crucial role in the initial entry into corporate environments. For example, an employee might be looking for an image editing software program on their work laptop and download a trojan application via SEO poisoning/malvertising, usually with some infostealer capabilities. This application extracts system, network and user information, which can later be sold or used to perform follow-up attacks on the user (targeted phishing, etc.).

“The entire ecosystem is known as Initial Access Brokerage, where infostealers act as a method to gather information and/or valid credentials until it can be used by other threat actors, such as ransomware operators, to hijack browser sessions, connect to valid corporate accounts, and so on.” ®