Abdulrahman H. Alamri and Lexie Mooney of Dragos write:
The third quarter (July – September) of 2024 brought transformative shifts to the ransomware landscape, emphasizing its dynamic and continuously evolving nature. The ransomware threat ecosystem remained highly active in the third quarter, fueled by new groups, rebranding of existing entities, expansion of initial access broker operations, and proliferation of illicitly traded tools. Ransomware operators increasingly demonstrated their ability to pivot in response to disruptions during the third quarter, leveraging technological advancements and strategic realignments to maintain their operations.
This period witnessed a critical shift as dominant groups like LockBit faced significant setbacks due to coordinated international law enforcement actions, including Operation Cronos, which dismantled key infrastructure elements of LockBit. This led to a decline in their activities and forced affiliates such as Velvet Tempest to transition to other groups, including RansomHub.
Concurrently, the ransomware-as-a-service (RaaS) model continued to mature, with an expanded reliance on Initial Access Brokers (IABs) that exploit vulnerabilities, misconfigurations, and stolen credentials that facilitated entry into targeted environments. These brokers acted as force multipliers, enabling ransomware groups to scale their operations by focusing on payload deployment and extortion strategies. In general, this industrialization of ransomware has continuously lowered the barriers to entry for new actors, fostering a competitive and dynamic threat environment, and the third quarter of 2024 was no different.
Read the full report at Dragos.