The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Ransomware Activity

Hey everyone, Connor here. Security Research Manager here at CyberMaxx.

During the first quarter of 2024 we observed 1283 successful ransomware attacks against organizations, up 29% over the same period last year in Q1 2023 with 909 observed attacks.

2024 is already shaping up to see more activity than last year.

Lockbit again were the most prolific group at 368 successful attacks or 30% of the total threat landscape for the quarter. This spike may be related to the attempted law enforcement take down, as a show of strength – or it could have simply been a very successful quarter for the group.

Lockbit have continuously expanded their operations week to week, and have shown that their model is extremely successful. When reviewing the past 18 months of data, we can see a very steady increase in activity attributed to the group quarter over quarter.

Which begs the question; Why is this group so successful?

The answer to that is complicated, but is largely tied to their affiliate program built on the reputation the group has accumulated over the years of operation. By working with other groups who focus on initial access and the first stages of intrusion who then hand over for post-compromise activity like staging the environment for ransomware and exfiltrating company data. This means that any group can use any technique to gain access – and then work with lockbit to deploy ransomware.

So what are these affiliates doing to gain access is the next reasonable question.

They typically exploit poor security hygiene, improper configuration of external facing assets, traditional phishing, and exploiting unpatched vulnerabilities. Reducing attack surfaces, performing system hardening and proper architecture of networks to reduce possible impact, and ensuring a patch management program are crucial to respond to todays threat landscape.

Xz Utils

On March 29th, 2024 malicious code was identified in the upstream tarballs of xz in versions 5.6.0 and 5.6.1. This has since been marked and tracked as CVE-2024-3094.

Analysis today shows that the backdoor enabled remote code execution (RCE), and was committed by the user JiaT75, as part of a two plus year operation in the making. Originally reported as an SSH authentication bypass, further research now shows that there is far more to this than initially identified. Researchers at the time of publishing this report are still digging through and identifying new features due to the complex obfuscation involved with the attack.

No specific attribution has been assigned for whoever was behind this attack at this time.

Lockbit Takedown

On February 29th, 2024 an international operation by law enforcement attempted to take down the servers in use by the Lockbit Ransomware gang. The Law Enforcement teams identified two servers with unpatched vulnerabilities which were exploited to gain access to the servers and ultimately wipe the data. This does ironically highlight the importance of patching your infrastructure regardless of who you are.

Lockbit responded to the incident, owning up and stating that they didn’t patch their servers because they got lazy with the success from the past few years.

This operation led to a 3 day drop in activity for the group, but they quickly ramped their operations back up to normal volume directly after recovering, and still managed to be the most active group in spite of this.