Ghostbusting 2024: From the Ashes of 2023's Ransomware Ghosts

All right. Uh, thank you to Bsides. Uh, today's talk is going to be Ghostbusting 2024 from the ashes of 2023's Ransomware Ghosts. And I am Steve Thomas. Uh, a little bit about me, uh, gives you some context for this talk. I've been a threat intelligence engineer for about 20 years as well as a serial entrepreneur. Uh I built one of the world's first threat intelligence startups uh a little bit more than a decade ago. Uh since then I've been building startups in the world of identity theft uh thirdparty risk and then of course uh hack notice which is again a threat intelligence startup. Um I'm also a published researcher on SQL injection attacks and a few other

security topics. And today's talk is really all around the changes in ransomware and breaches from 2023 to 2024. Um, as hopefully you're aware, there have been a lot of ransomware events uh in both years. Uh we hear about ransomware almost every day and this is really a deep analysis of what happened uh both years looking for uh changes looking for trends uh really trying to understand how these ransomware gangs are evolving and how the ransomware landscape changed year-over-year. Uh we're going to do a few key uh types of analysis. victim analysis. So, understanding better who's uh the victim as well as gang analysis. Uh understanding how these gangs have changed their tactics. Uh we are going

to also assess industries, geographies really um how are different groups of businesses targeted. Uh and we really want to focus on uh emerging threats and how this all changes the threat landscape. So, uh, we're going to be trapping the cyber ghosts of 2024, uh, to protect your business in 2025. So, uh, ransomware 101, if you are not familiar with ransomware, uh, ransomware is a type of, uh, malware type of, uh, digital attack, uh, where, uh, a, um, encryption program encrypts all of your files. Uh usually these gangs are mass encrypting not just a single uh computer, single set of files, but as much of the environment as they can. Um and uh traditionally ransomware would then extort the business for the

decryption key. Um so we're talking about infiltration, gaining access, moving horizontally and vertically, and then encrypting files. Now ransomware has really evolved over the years. It's not just encrypting files. It's also extracting the files. It's double extortion where they're extorting uh the business not just for the decryption key but also to not leak their data. Some gangs don't even bother encrypting anymore. Uh but it's still considered ransomware. Uh but uh now they're just extorting businesses to not leak the files or even not announce that there's been an infiltration. Um how's it start? Typically with uh fishing or CVE exploitation, uh hackers get in with a sneaky email, turn everything uh into gobbledegook shutdown systems. Um and why are we

tracking this, right? Um we're tracking this because this is one of the biggest concerns that businesses have. Uh and by analyzing the past, analyzing what's been happening in ransomware, we can really get a better sense of how we protect ourselves and focus uh our defenses for the future. Uh also, these gangs have really funny names. Uh so stay puffed is not currently a ransomware gang. Uh it is a ghost. Uh but it very well could be a gang in the future. Uh a little bit about hack notice. So why are we able to do this type of analysis? uh we are an AIdriven uh breach intelligence uh platform. Uh this is every breach happening worldwide from hundreds of

sources. We really focus on time to knowledge and what's important with time to knowledge uh is really uh getting these events as quickly as they can possibly be known. What that means is that we spend a lot of time getting these events directly from the threat actors themselves. uh we are sourcing uh thousands of ransomware victims directly from the darknet from the ransomware ganks. Uh same thing with uh rumors of breaches uh in hacker form. So we bring in vast majority of of the breaches and ransomware events directly from the darknet, directly from the hackers. Um and that gives us some really interesting data. It's often days, weeks, months before it hits the news. And so we're using all of that uh data,

all of that information to do this analysis. Uh it is AIdriven. So we're doing a bunch of trend analysis, uh change analysis, really diving deep into the PTPs or tactics, techniques, uh and procedures of these gangs. Uh we also get access to a lot of the attack data. So uh the attack data is intimately linked to these attacks. We can see really big spikes in attack data typically before these events. We're trusted by some of the world's uh top companies. Uh you can see some logos there uh with many many more customers using us every day. So let's get into the good stuff. We did a data study looking year over year 23 and 24. Uh we looked uh at over

170 gangs that were monitoring. Uh and there were 102 gangs active in those two years. uh this included over 10,000 victims. So talking about you know statistically significant sample set this is a massive quantity of data. Uh we analyzed um every single event based on uh the top 25 NI NICS codes. Uh so these are industry codes, standardized ways of of analyzing uh what uh industries these victims uh uh were in. Uh seven different geographies. Um and this really accounts for dozens of events that are happening every day. Um every single event in our system is reviewed by security researcher. So it's not just a hacker makes a claim and we put into our system. Uh these are

verified events. So high fidelity data. Um and we looked at this data every single way. We looked at year-over-year growth, gang churn, gang growth, industry concentrate, concentration, industry change, geography concentration and change, targeting, retargeting, top gang analysis. Uh we really made uh Lewis totally proud by going deep into the data. All right, so this is going to be a lot of the background knowledge. I don't expect you to read this slide. Um, but I what I want you to get from this uh is that uh ransomware is not a monolith. It's not uniform. We have gangs that are focused on very specific industries and sometimes those industries vary quite a bit. Um, so this is a a heat map here. You can see

concentrations. This is manufacturing over here. uh we have tech high technology finance but you can also see high concentrations here by specific gangs. Uh same thing with geographies uh a lot of activity in Europe and North America but there are some gangs that focus specifically on regions outside of those uh and we did uh year-over-year analysis. You can see in this heat map how gangs change their tactics over time. So, we're looking at um gangs that have completely changed the industries they focus on. Uh and our premise is that they did that because uh other industries gave a bigger payday. Uh same thing with geographies. We found some gangs that have uh completely changed the geographies

they go after. Um and you can see some overall change uh year-over-year by these gangs. Excuse me. All right. So let's let's get into the details. Uh what are some topline insights we can get uh year-over-year? So uh some highle numbers that seem pretty average. Uh the number of gangs grew by 8% or I'm sorry the number of gangs grew by 6% the number of victims grew by 8%. That doesn't seem like a lot but uh if you look at gang death uh 23 uh we had 38% of all the gangs in 2023 die. That's massive churn. That means that these gangs that that you hear about, just because you're hearing about them doesn't mean that they're going to

stick around. They may only be around for a few months. Uh and so this is a very dynamic uh cyber crime industry. Um and also 2024, we have 45% of all the gangs as brand new in 2024. Uh that's also massive. Uh that means that uh about half of all the ransomware gangs that you need to worry about have been around for months. Uh they're they're brand new. Um now one important thing to take a look at is that the gangs that did survive year over year are the strongest gangs. They cause the most damage. Uh they had the most victims. And so it's really the weak gangs that are dying off. uh and uh the new gangs

that are showing up each year, they're producing more victims on average. In fact, if you take a look at uh the gangs that died off in 23, they had about 27 victims uh on average. The new gangs in 24 had about 50 victims on average. So, we're talking about uh these new gangs, the new names you're hearing about are often the most aggressive and cause the most damage. Uh and yeah, that's bad. That that's a bad trend for all of us. Um let's dig into the dead gangs. Uh now, some of these gangs may just be sleeping, hibernating. They may come back. You never really know uh with these gangs, but we can talk about some

very specific gangs uh that we know did die. Arvin used to be a well-known name. They voluntarily broke up. Same thing with No Escape. They also voluntarily broke up. Uh Knight is a very interesting gang. Uh they voluntarily broke up, but they are also allegedly the origins of Ransom Hub, which Ransom Hub was a massive gang in 2024. Um now we do see uh some intentional deaths by Interpol. So, Hive, Kuracart, uh, and then, uh, Ragnar. All three of those were taken down by Interpol. Um, so we can see Interpol is doing their best. They're taking action. Uh, they're trying to kill these ghosts. Uh, but what you're going to see next is the New

Kids on the Block. So, these are all the gangs that started in 2024. Um, and some of these gangs, uh, you should be familiar with. Uh, Ransom Hub, like I mentioned, over 500 victims. That's a massive amount of victims. Uh, Funks has only been around for a few months, over 100 victims, and Fog 80 victims. So, we're seeing uh these really aggressive gangs that are just, you know, coming out of nowhere and creating mass chaos. Uh, so yeah, they are here and we need to pay attention to them. Uh let's take a look at uh some gangs in specific. So let's take a look at manufacturing. So with gangs and their overall activity, manufacturing is a a

very highly targeted industry uh the the number one targeted industry, but it was down uh in 2024 by about 4%. Uh so still number one but uh it was down in terms of targeting uh professional services number two uh and that's really not changed. Uh that's a a very uh uh lucrative industry for uh ransomware gangs to go after. Information technology actually grew by 2%. Uh we saw some slight change in terms of geography targeting. North America a little bit more, Europe a little less, uh Asia even less. Um, now let's take a look at some of these gangs. Um, Arvin, which died off in, uh, 2024, they targeted exclusively the Middle East. So, that made the Middle

East safer by about uh, 200 victims a year. Unfortunately, Andala and Ma uh, Malik, they almost exclusively target the Middle East. Uh, and the two of them combined account for about a hundred victims a year. So we're we're about a hundred victims a year safer in the Middle East, but still not a great trend when when gangs are uh taking up the room that other gangs have left. Uh Cyclops uh focused uh exclusively on Africa. Uh their death does make the region about 200 victims a year safer. Let's get into some more specific gangs. Um we see uh yearon-year targeting uh from gangs that survived in 23 into 24. So this is really how are

gangs changing their their targets, their tactics. So these are the gangs that that are surviving each year. Uh and they chose to target uh retail more frequently, finance more frequently, and professional services less frequently. uh they've concentrated more on North America and less on Asia and South America. Um and if we take a look at specific gangs, so uh I'll mess up this name. All too fawn team, Altufon team, uh focused on Middle East financial services in 2024 instead of North America and European information technology and transport. Um, so that's a pretty major shift in region and industry. Uh, Cuba or Cuba, uh, as their name suggests, they used to focus on, uh, North America, uh, specifically

retail and healthcare. They now focus on European manufacturing. So that's a pretty major shift. Uh, APA focused on EU manufacturing instead of North American information technology. and ransom to VC focused on retail instead of information technology and finance. So, what's important to to take from this is that if you're in a very specific industry, um you're going to have gangs that target your industry. Uh but that's going to be uh dynamic. Gangs may change tactics. You may have gangs that decide that your industry is more attractive and so they're going to start targeting you instead. So, you really got to pay attention to these gangs, how they're uh targeting changes year-over-year, month over month. Um,

and we're assuming it's all based on payout. Uh, so could be that these new targets uh actually pay out more frequently than the old targets. Uh, let's look at the 2024 leaderboard. So, the top gangs last year were Lockbit, Ransom Hub, and Play News. Clockbit, Play News, those are well-known names. They existed in 23. Ransom hubs brand new. Uh top industries manufacturing professional services, information technology. This really should not be a surprise. If you are in these industries, you have to pay attention to ransomware uh because those gangs are paying attention to you. Uh North America, largest concentration of victims by far uh followed by Europe and then Asia. But you can see the concentration is really skewed to North

America and Europe. Um, now let's take a look at these top gangs. We're going to dive in a little bit deeper uh into uh these gangs here. These are the top four gangs from 2024. And I want us to take a little bit of time here and look at how are they attacking businesses. So these are the PTPs, the tactics, techniques, and procedures. Uh, and one thing I'll draw your attention to is that every single top gang engages in fishing or spear fishing. Uh, fishing, as hopefully you're aware or you'll hear throughout besides uh is um emails sent to employees trying to trick them into either downloading an executable, putting in credentials. Uh, it could be long form where they're

trying to build up trust and eventually they'll have a call to action, but it's fraudulent emails. Spear fishing is is really targeted on a specific person or set of people. Um, often using uh threat intelligence or even open source intelligence to uh understand that person uh know intimate details about them, even profile uh what they would respond to the best in terms of a call to action. Um, next we see all the gangs engage in CVE exploitation. This is going to be exploitation of vulnerabilities in the publicly facing infrastructure. Um, that's pretty easy, pretty obvious. If a gang can get in through your publicly facing infrastructure, they will. Uh, which means uh patching, patch management, um,

public infrastructure protection such as a WFT are incredibly important. Uh now the gangs they vary a little bit. Uh Lockbit engages in credential stuffing. Uh ransom hub uses C2 servers so command and control servers to coordinate their infections. Uh plain news uses uh scripting. Uh so does Aira. A lockbit uses scheduled tasks. So your task manager. So there's a little bit more variance in terms of how they go about moving horizontally and vertically uh in the business. Um but uh once they have gotten as much of your business as they have, all of them engage in double extortion. So um ransomware is uh probably the fastest moving cyber crime uh industry subsector in existence. Um,

and uh, all top gangs are focused on how can we get the biggest payday here. And double extortion, uh, that's uh, not only encrypting your files, but also stealing your files and threatening to release them or even sell them. Um, is a very common tactic. Um, and one thing I want you to really focus on here is that the top gangs have very similar TTPs. So, they're all cheating off each other. They're all uh, taking the the best attacks. uh and reusing them. They may may even have um members that are moving from gang to gang. Um so if you protect against one of these top gangs, you're really protecting against all of them because they share very similar TTPs.

They uh share very similar uh targeting as well. So key takeaways, what can we learn from this? Well, we've learned that uh we have massive churn in terms of the number of ransomware gangs and and what the gangs are. Uh 38% is a huge amount of turnover. If this was happening in a a typical industry, we'd be talking about this non-stop. Um so don't assume that the defenses that you built uh based on 2024's data is are going to be still valid. You need to stay up to date on this stuff. um old school tough. The gangs that last year over year over year, those are some really resilient gangs. Those are uh gangs that uh are continually uh

changing their tactics. Those are some of the most aggressive gangs. Uh the new kids on the block, uh the new gangs are um more aggressive and uh more successful than the gangs that are dying off. So, if you hear a brand new name and you you hear about it a lot like RansomHub, you need to pay attention. Uh, potentially it's going to be the brand new gang that that's going to be uh a major factor in terms of how you protect your business. Um, they're all chasing the money. This is this is a money game. Uh, ransomware only exists because uh hackers can make a massive amount of money uh doing it. Um, and uh

the gangs are going to change their TTPs. They're going to change their targets. They're going to change your geos. They're learning as they go. Uh this is not just a bunch of scripts running. These are people that that are really optimizing their business. Um and they all share uh tricks. They all share the same TTPs. The the top gangs all look very similar. So if you learn to defend against those top gangs, taking a lot of risk off the table. Um don't ignore the new kids on the block. uh the uh new gangs that are entering the field are often some of the most aggressive, hungry, and innovative in the space. And that's it. If you have any

questions, uh comments, feel free to uh connect with me. Here's my site, my social. Um and uh you can scan these QR codes. I promise they're safe. Thanks.