Black Kite Research Reveals Growing Persistence, Sophistication and Aggression Within Cybercrime Ecosystem
April 30 2024 - 9:05AM
Black Kite, the leader in third-party cyber risk intelligence,
today published its annual report, based on primary research, State
of Ransomware 2024: A Year of Surges and Shuffling, which reveals
the increased persistence, sophistication and aggression within
ransomware groups. According to the Black Kite Research &
Intelligence Team (BRITE), there were a staggering 4,893 reported
ransomware attacks from April 2023 through March 2024 — an 81%
year-over-year increase. The United States was the most targeted
country in the world. In fact, during this time, there were nearly
as many attacks in the U.S. alone (approx. 2300) as there were
globally in all of 2023 during the corresponding period.
The research by Black Kite’s BRITE group offers an unprecedented
deep dive into the sophistication and interconnectedness of the
ransomware ecosystem, breaking down the corporate-like structure of
these cybercrime actors. The report — which offers analysis of more
than 130 ransomware groups, their activities and their victims over
a one-year period — sheds light on cybercriminals’ evolving
tactics, their operations and the profound impact ransomware
attacks have on victims worldwide.
“We are seeing an unrelenting surge in ransomware attacks in a
world where cyber adversaries function like shadow enterprises. The
sophistication of these groups rivals that of any Silicon Valley
tech startup,” said Ferhat Dikbiyik, chief research and
intelligence officer, Black Kite. “Law enforcement’s dismantling of
notorious groups like AlphV has not discouraged operations. It
merely caused them to refocus and realign, and in some cases join
forces with other affiliated groups. This shift underscores the
volatility within these illicit networks while highlighting the
critical cybersecurity challenges organizations around the world
face every day in threat detection and mitigation.”
Ransomware as a business and its emerging
leaders The report provides insight into talent
acquisition and revenue structures — with operators typically
retaining 20-30% and affiliates taking the lion’s share of revenue.
The report discusses the rise and fall of established players like
LockBit and how data supports a dynamic, thriving industry with
multi-affiliate collaboration and bidding wars for affiliates.
Emerging groups, such as Akira and 8base, are quickly climbing in
power and authority. The Black Kitre report reveals that 9 of the
top 15 most active groups are new entrants to the market.
Data indicates not just escalation but also acceleration of
attacks, signaling the evolution and increasing aggressiveness of
ransomware players. More than 100 companies were victimized by two
groups and several were victimized by three groups. These attacks
are happening in quicker succession — sometimes with mere days
between attacks — indicating the ransomware groups are monitoring
other groups’ activity so they can strike while a victim is still
weak. Data also indicates that ransomware affiliates may work with
multiple RaaS providers, leading to multiple payloads from
different groups in a single environment.
Evolving ransomware victim profilesThe report
offers a detailed analysis of victims and cybercriminals’
approaches to profiling and targeting. While previous years saw a
focus on resource-rich organizations, ransomware groups are more
frequently targeting organizations that offer critical human
services and smaller companies with revenue under $20 million
(nearly 1200 victims). As an example, healthcare jumped to the
third most targeted industry with 273 victims. This is a startling
number considering the profound impact caused by ransomware-related
business disruptions and theft of patient health information (PHI),
as evidenced by recent news of the $1.6 billion hit to United
Health in the wake of the Change Healthcare attack. Notably, while
82 victims were hospitals, the rest were smaller physicians’
practices and medical officers, which often lacked robust
cybersecurity defenses. However, manufacturing still leads with
1,016 victims, indicating the targeting of industries that are
foundational to national economies.
Finally, the report takes a close look at cyber predator
behavior and victim risk profiles. With a record number of
vulnerabilities, zero day exploits were the top tactic of choice
for many groups with credential stuffing following as the second
most used strategy. More than 3,000 victims had at least one leaked
credential in the 90 days prior to a ransomware attack. BRITE also
leveraged Black Kite’s Ransomware Susceptibility Index® (RSI™) to
evaluate victims’ risk posture prior to attacks and found that
companies with an RSI score above .8 are 27 times more likely to
experience a ransomware attack.
Through BRITE Black Kite actively monitors more than 130
ransomware groups, 67 of which published at least one victim in the
time period analyzed. During this study, the team analyzed the
attacks and victims by tracking their cybersecurity posture in the
victims before and after the ransomware attack on the Black Kite
platform. The team also monitors dark web blogs, hacker forums, and
Telegram channels to track the evolving tactics and narratives of
the ransomware groups in real time. The analysis is incorporated
into the “State of Ransomware 2024,” report, along with tips for
improving cyber risk and security posture. Ultimately, the report
aims to empower organizations with the knowledge and insights
needed to bolster their cybersecurity defenses and mitigate the
risk of falling victim to ransomware extortion.
Download the report from Black Kite and learn more about
ransomware risk.
About Black KiteBlack Kite gives companies a
comprehensive, real-time view into cyber third-party risk so they
can make informed and proactive risk decisions that help avoid
business disruption, building resilience within their supply chain.
With one-of-a-kind collaboration capabilities, companies can work
directly with their vendors to report, mitigate, and minimize risk,
improving their own business resilience as well as their vendors’
organizations.
Through an automated process, and a combination of threat,
business, and risk information, Black Kite provides cyber risk
detection and response capabilities that are accurate, fast, and
transparent.
Black Kite serves more than 2,000+ customers in a wide range of
industries and has received numerous industry awards celebrating
the company’s vision, TPRM leadership and innovation as well as
recognition from customers.
Learn more at www.blackkite.com, and on the Black Kite blog.
Copyright © 2024 Black Kite, Inc. All rights reserved. All other
brand names, product names, or trademarks belong to their
respective holders.
Media Contact:Geena Pickering Look Left
Marketingblackkite@lookleftmarketing.com