Rapid7 report reveals surge in ransomware attacks & new groups

Rapid7 researchers have reported over 2,570 ransomware attacks in the first half of 2024, with 21 new ransomware groups identified. The findings are part of the Rapid7 Ransomware Radar Report, released in conjunction with the company's presence at Black Hat USA.

The latest report provides analysis of more than 70 active ransomware groups, including 21 that emerged in 2024. It examines attacker activity and techniques over an 18-month period ending 30 June 2024. According to the report, ransomware groups are continuously refining their methods, developing business models that resemble legitimate corporate enterprises. These models include marketing services to prospective buyers, offering company insiders commissions in exchange for access, and running formal bug bounty programmes.

“The Ransomware Radar Report uses data to tell the story of how ransomware and the threat actors that wield it are evolving,” said Christiaan Beek, senior director of threat analytics at Rapid7. “For example, the related source code, combined with a continuing decline in the number of unique ransomware families, suggests a move toward more specialised and highly effective ransomware variants, rather than a broad array of less sophisticated malware.”

The report highlights several key findings. In the first six months of 2024, Rapid7 observed 21 new ransomware groups. Some of these groups are entirely new, while others are rebranded from previously known groups. One of the most notable new groups, RansomHub, has quickly established itself by making 181 posts to its leak site between 10 February and 30 June 2024.

Leak site posts, which represent extortion attempts, have also increased. The report notes a 23% rise in posts, with the number of ransomware groups actively posting to leak sites increasing from an average of 24 groups per month in the first half of 2023 to 40 per month in the first half of 2024. In total, 68 ransomware groups made 2,611 leak site posts between January and June 2024.

The report also finds that smaller organisations have become more frequent targets for ransomware attacks. Companies with annual revenues of around USD $5 million are falling victim to ransomware twice as often as those in the USD $30-50 million range and five times more often than those with USD $100 million in revenue. This trend suggests that smaller companies are large enough to hold valuable data but not as well protected as their larger counterparts.

“The report’s insights into the ransomware landscape are crucial for informing Defenders’ cybersecurity strategies,” said Beek. “From our own detection engineering point of view, the clusters and additional report information, such as the usage and type of encryption algorithms, help us uplevel hunting techniques and prevention, detection, and response technologies. Rapid7 continually investigates new techniques used by threat actors and ransomware operators, tests them against our patented Ransomware Prevention technology, and creates new preventions to ensure customers are protected against the latest threats.”

The Rapid7 Ransomware Radar Report provides a comprehensive analysis of ransomware incidents and binaries gathered globally. It offers insights into trends, attacker profiles, ransomware families, and the implications for cybersecurity defences. The report's data is culled from Rapid7's incident response teams and independent Rapid7 Labs research, covering prevalent ransomware families from 2023 that continued into 2024 and new ransomware samples observed up to June 2024.