20% More Ransomware Group Data Leak Sites Listed in Q2 of 2024

Reliaquest analyzed the ransomware groups’ data leak sites, which showed a significant increase in activity in the second quarter of 2024. Listings of data leak sites this second quarter grew by 20% (1,237 organizations) compared to the first quarter of 2024.

The number of new data leak sites listed in the first quarter of 2024 was atypically minimal because of two reasons. First, a global law enforcement operation targeted the LockBit ransomware group, and after the ransomware attack on Change Healthcare, the ALPHV/Blackcat got away with an exit scam and closed its operation. These two ransomware groups were the high-profile RaaS operations during the time.

Although the number of data leak sites added grew by 20% in quarter 2, ransomware activity dropped by 13% compared to quarter 2 of 2023. The number of victims increased by 1% in the first half of 2024 compared to the first half of 2023. With the shutdown of ALPHV/Blackcat, affiliates of the group needed to go to other RaaS groups. Some RaaS groups like BlackSuit, RansomHub, and BlackBasta were hiring affiliates, to expand their activity during that period. RansomHub, which currently has the Scattered Spider threat group as an affiliate, has been notably active, with listings growing by 243% compared to the prior quarter. LockBit has increased attacks with 35.8% of all ransomware data leak listings from LockBit attacks.

Over half of the listings in quarter 2 were for US-based companies. Reliaquest mentioned that several RaaS groups are located in the Commonwealth of Independent States (CIS) and are banned from executing attacks in those nations and there are nationalistic motives for performing attacks in the U.S. Ransomware attacks may also be financially driven as victims are more likely to give ransom payment. The US is one of the countries with the highest offers of cybersecurity insurance protection.

Some sectors are at a greater risk compared to others. Although attacks on healthcare and public health (HPH) organizations are prevalent, the HPH sector ranked 5th among the most attacked sectors. The manufacturing sector and the professional, scientific, and technical services (PTST) sector get more than double the number of attacks as the healthcare sector. The same number of attacks were performed in the construction industry and retail trade as healthcare. Ransomware groups target these sectors because of the cost and effect of outages, which enables them to require high ransom payments and increases the likelihood of getting paid because ransom payment lessens the outage time. Reliaquest remarks that the PTST sector, which is within 1% of the manufacturing sector, is a specifically appealing target because of the possibilities for the compromise of the supply chain.

ReliaQuest says that attacks will keep increasing all through quarter 3 of 2024, particularly from supply chain compromise and breached credentials, though escalating law enforcement activity and the availability of free decryption keys may result in a decrease in attacks in the long run. For HPH sector organizations, it is best to ensure HIPAA compliance certification.