According to a recent report by Cyfirma, in May 2024, the activity of ransomware programs significantly increased, with noticeable shifts in the operations of leading groups. The group that showed the highest surge in activity was LockBit, emerging as the top threat with 174 victims.
The manufacturing sector suffered the most, with 85 incidents, while the United States became the most targeted geography with 249 recorded attacks. Among the new cyber threats, notable groups included Arcusmedia, SpiderX, and FakePenny.
The activity of leading ransomware groups in May 2024 changed compared to April. LockBit’s activity spiked by 625%, while INC Ransom increased by 100%. The group Play saw a 10.34% rise in attacks, and RansomHub by 4.17%. Medusa, absent in April, returned with 23 incidents.
LockBit, which emerged in 2019, continues to evolve despite regular law enforcement measures. The group swiftly recovered after its infrastructure was dismantled in February, once again becoming the most active in May.
Ransomware activity also surged across various industries this May. Attacks in manufacturing rose by 28.79%, in real estate and construction by 66.67%, and in banking and finance by 105%.
Government agencies and legal services saw a 48% increase in incidents, healthcare by 71.43%. E-commerce and telecommunications experienced a 230% rise, IT by 55.56%, and transportation by 21.05%.
Education showed a 250% increase, and the hospitality industry by 17.65%. Media rose by 116.67%, while energy decreased by 33.33%, and FMCG by 4.26%.
The primary targets of attacks in May 2024 were the United States (249), United Kingdom (34), Canada (23), Spain (19), and France (18).
LockBit Black primarily spreads through the Phorpiex botnet, distributing phishing emails with infected attachments. Blackbasta uses social engineering, employing phishing calls and malicious links to gain access to systems.
SpiderX offers its services on underground forums, demonstrating advanced features and high efficiency. FakePenny, using a loader and encryptor, demands ransoms reaching $6.6 million in bitcoins. Arcusmedia, first detected in May, has already committed at least 17 incidents, primarily targeting South America.
Key events in May included an attack on the Singing River healthcare system affecting 895,204 individuals, and the sale of INC Ransom source code on hacker forums for $300,000. Attacks on Windows administrators through fake software download sites were also noted.
Reports indicate about 31% of enterprises are forced to suspend operations after ransomware attacks, and 40% have to reduce staff. In 35% of cases, there are changes in top management. The average financial damage to companies is around $200,000, with 75% of small and medium-sized enterprises facing the threat of closure.
The escalating activity of ransomware underscores the need to enhance cybersecurity measures. Investments in advanced protection technologies, employee training, incident response plan development, cyber risk insurance, and regular security audits will help mitigate risks and minimize damage.