Barracuda study shows healthcare sector most targeted by ransomware

New research from Barracuda Networks has revealed that 44% of foiled ransomware attacks are detected during lateral movement. According to the company's 2023/24 ransomware review, healthcare remains the most targeted sector, with 21% of ransomware incidents affecting healthcare organisations, an increase from 18% the previous year.

The findings are part of Barracuda's annual "Threat Spotlight on ransomware," which examined 200 publicly reported ransomware incidents from August 2023 to July 2024. These incidents spanned 37 countries and involved 36 different ransomware groups.

The report highlights that manufacturing and technology sectors were also significant targets, each accounting for 15% and 13% of the reported attacks, respectively. The education sector, which had previously accounted for 18% of the attacks, saw a notable decline to 9% in 2023/24.

Adam Khan, VP, Global Security Operations at Barracuda Networks, explained, "Ransomware-for-rent attacks can be hard to detect and contain. Different cybercriminal customers can use different tools and tactics to deploy the same payload, resulting in considerable variation. Fortunately, there are tried and tested approaches that most attackers rely on, such as scanning, lateral movement, and malware download."

The study indicated that a significant portion of attacks were perpetrated by ransomware-as-a-service (RaaS) models. LockBit, a prominent RaaS group, was responsible for 18% of the attacks where the identity of the attacker was known. ALPHV/BlackCat accounted for 14% of attacks, and Rhysida, a relatively new entrant, was behind 8% of the identified attacks.

Detection data from Barracuda Managed XDR’s Endpoint Security service identified key indicators of likely ransomware activity in the first six months of 2024. Lateral movement within networks was the most common, with 44% of attacks being identified this way. File modifications were another significant indicator, representing 25% of detections. Off-pattern behaviour within systems, accounting for 14% of detections, was also a vital signal of potentially malicious activity.

A detailed investigation into a mitigated PLAY ransomware attack targeting a health technology business and an 8Base incident at a car care company revealed common tactics used by attackers. These included targeting unprotected devices to establish footholds and hiding malicious files in infrequently used music and video folders.

Khan highlighted the importance of a multi-layered defence strategy to combat ransomware effectively. "Multiple detection layers are essential in the battle against active threats such as ransomware, where attackers often leverage commercially available tools used legitimately by IT teams and can make real-time adjustments in their behaviour and tactics to succeed," he said. "Barracuda recommends multilayered, AI-powered defences, which are key to detecting and remediating advanced attacks to contain and minimise the impact. This should be complemented by robust authentication and access policies, patching, and regular security awareness training for employees."

The data underscores that while the methods of cyber attackers are evolving, familiar tactics and indicators provide critical opportunities for detection and mitigation. The emphasis on healthcare as a primary target highlights the ongoing vulnerability of this sector and the significant impact that these attacks can have on essential services.

Overall, the report underscores the need for constant vigilance and the implementation of comprehensive security measures to protect against the evolving threat landscape posed by ransomware.