These results are a timely reminder that every organization in every industry is a potential target for ransomware.
It is worth noting that different regulations around the world mean that some organizations or industries have a legal obligation to report cybersecurity incidents, and this may influence industry-related results.
Ransomware for rent
The most prevalent ransomware groups in our sample are, perhaps unsurprisingly, ransomware-as-a-service (RaaS) models. These include LockBit, which in 2023/24 was behind one in six, or 18% of the attacks where the identity of the attacker is known, despite the law enforcement takedown of the group in February 2024. Of these incidents, 28% targeted healthcare organizations, 21% municipalities, and 14% education.
ALPHV ransomware, also known as BlackCat, accounted for 14% of attacks in 2023/24 where the identity of the attacker is known, with a third of these incidents targeting healthcare organizations, while 17% hit financial services.
Rhysida, a new ransomware group that appeared in early 2023, accounted for 8% of named attacks, with 38% of them hitting healthcare.
RaaS ransomware attacks can be hard to predict and therefore contain. The number and range of affiliates implementing attacks from the same ransomware family can lead to significant variation in observed tactics, techniques, and procedures (TTPs).
Some affiliates may use different ransomware types in different attacks, further muddying the waters. Fortunately, there are tried and tested TTPs that most attackers rely on, and these can help to signpost an unfolding incident.
The anatomy of active ransomware attacks
Data from Barracuda XDR’s Endpoint Security suggests that in the first six months of 2024 (January 1 to end June), around one-in-four (23%) XDR customers faced an attempted ransomware attack.
In that time, Barracuda XDR’s Endpoint Security detected and blocked 6,052 instances (tools, techniques, or behaviors) that indicate a likely ransomware attack. The most prevalent detections represent navigational markers that security teams can look out for when hunting intruders.
Top attack tools and behaviors detected in 2024
Security analysts rely on a range of detection rules and engines to identify activity that denotes the presence of cyberthreats. These multiple detection layers are essential in the battle against active threats such as ransomware, where attackers often leverage commercially available tools used legitimately by IT teams and can make real-time adjustments in their behavior and tactics to succeed.
Further, the execution of the ransomware component of the attack, such as file encryption, is often the final phase of the incident. This is often preceded by scanning, lateral movement, malware download, and more, which offer security teams several opportunities to detect, contain, and mitigate ransomware incidents before they have a chance to fully unfold.
The data for 2024 shows that lateral movement is the clearest sign of ransomware activity. Just under half (44%) of the ransomware attacks were spotted by the lateral movement detection engine.
A quarter (25%) were detected by the engine that spots when files are being written or modified and analyzes them to see if they match any known ransomware signatures or suspicious patterns, and 14% were caught by the detection engine that identifies abnormal behavior within a system or network. This engine learns the typical behavior of users, processes, and applications. When it detects deviations (such as unusual file access, tampering with operating system components, or suspicious network activity), it triggers an alert.