Experts Expect Ransomware Surge After Police Disruption

Security experts have warned of a likely rise in ransomware incidents in the second half of this year as criminal gangs recover from upheavals including law enforcement actions and the disappearance of a major group as part of an apparent scam.

Computer security firm ReliaQuest said it expects providers of ransomware infrastructure services to recover from such disruptions in the second half.

“We anticipate a more consistent rise in ransomware incidents in the second half of 2024 as affiliates resume normal operations,” the company said.

But it found the disruptions had contributed to exceptionally low ransomware figures for the first half, which was up only 1 percent over the same period a year earlier, as measured by the number of ransomware-affected organisations listed on gangs’ websites.

Disruption

The first quarter saw a major downturn in ransomware activity due to the disruption of the LockBit gang in February and the disappearance of the AlphV group, also known as BlackCat, the company said.

Although activity rose 20 percent sequentially in the second quarter, the April-June period remained 13 percent down on the same period in 2023.

Such factors “suggest that the historical trend of rapid growth in ransomware activity has slowed”, the firm said.

Fluctuations in the second quarter showed the ongoing effects of the disruption, with 43 percent of the quarter’s victims disclosed on ransomware sites in May followed by unusually low figures for June, ReliaQuest found.

LockBit tried to recover in the second quarter and announced it had breached 179 organisations in May alone, contributing to the month’s high figures.

But security firms have said LockBit is struggling to maintain trust amongst the companies that use its tools to commit ransomware crimes.

LockBit takedown

In May LockBit’s leader was officially identified as Russian national Dimitri Khoroshev, and in a further blow to the organisation the FBI said in June that it was making more than 7,000 decryption keys available to affected organisations.

“We expect LockBit activity to significantly reduce in coming months as the group struggles to maintain trust among affiliates,” ReliaQuest said.

The increased frequency of law-enforcement actions and the availability of free decryption keys “may lead to an overall reduction in ransomware activity in the medium- to long-term”, the company said.

Such gangs offer ransomware-as-a-service (RaaS) tools that allow hackers to carry out attacks on organisations with minimal effort and expertise, in exchange for a portion of any ransom received.

‘Exit scam’

The infrastructure provider normally receives the payment before sending the portion due to the affiliate who carried out the attack, but affiliates must trust the provider to send them their cut.

In March this system took a blow with the disappearance of the gang AlphV, also known as BlackCat, which is believed to have received a $22 million (£17m) payment from dominant US healthcare payments provider Change Healthcare before disappearing without paying its affiliate.

A notice was displayed on the AlphV website claiming the gang was taken down by law enforcement groups including the FBI and the UK’s National Crime Agency, but the NCA said it was not involved in any such action, which along with other factors led security researchers to conclude AlphV’s departure was an “exit scam”.

The disruption facilitated the emergence of new players including BlackSuit and RansomHub, which allows affiliates to collect payments themselves.