Palo Alto Networks‘ Unit 42 recently published the Ransomware Retrospective 2024: Unit 42 Leak Site Analysis and Incident Response report. In this study, they analyzed 3,998 leak site posts from various ransomware groups. Leak sites serve as platforms where threat actors publicly release stolen data to pressure victims into paying ransom. The investigation revealed several key findings. Unit 42 observed a 49% year-over-year increase in multi-extortion ransomware attacks globally from 2022 to 2023.
In India, the manufacturing sector was the most targeted industry for ransomware extortion in 2023. Among the 3,998 leak site posts from 2023 globally, LockBit ransomware remained the most active, affecting 928 organizations, which accounted for 23% of the total. LockBit also emerged as the most active group in the Asia-Pacific region and India (prior to the recent law enforcement disruption of LockBit). Additionally, the study noted the emergence of at least 25 new ransomware leak sites in 2023, with Akira being the most prominent.
Anil Valluri, Managing Director and Vice President, India and SAARC at Palo Alto Networks, commented on the findings, stating, “In India, the Manufacturing sector has emerged as the primary target for ransomware attacks over the past year. This unsettling trend underscores the critical vulnerabilities within the Indian manufacturing sector, where limited visibility into operational technology (OT) systems, inadequate network monitoring, and suboptimal cyber-hygiene implementation have left organizations exposed. Organizations must implement enterprise wide Zero Trust network architecture to create layers of security that limit an attacker from successfully moving laterally around the network.”
Unit 42’s 2024 Incident Response Report, based on an analysis of over 600 incidents from 250 organizations, reveals notable trends in cyber threats. The study delves into a wide range of incidents beyond ransomware leaksite posts, providing insights into the changing landscape of cyberattacks. One significant finding is the decline in phishing as an initial access tactic, dropping from a one-third share in 2022 to just 17% in 2023.
This shift suggests that cybercriminals are moving towards more technologically advanced methods for infiltration, possibly indicating a de-prioritization of phishing. The report also highlights a rise in the exploitation of software and API vulnerabilities, accounting for 38.60% of initial access points in 2023, up from 28.20% in 2022. This indicates that more sophisticated threat actors are adapting their tactics to gain access to systems. In terms of data theft, the report reveals that in 93% of incidents, threat actors took data indiscriminately rather than targeting specific datasets.
This trend signifies a shift towards cybercriminals casting a wider net to gather any accessible data. Regarding ransomware, the report notes a steady rate of harassment and extortion tactics, but a significant increase in harassment in cases where payments were made, jumping by 27x since 2021. Additionally, while median ransom demands increased slightly in 2023, median payouts decreased, potentially due to organizations involving Incident Response teams with negotiation capabilities. These findings underscore the evolving strategies of cybercriminals and highlight the importance of organizations implementing robust cybersecurity measures to mitigate risks.
Huzefa Motiwala, the Director of Systems Engineering for India and SAARC, expressed his concerns regarding the increasing number of ransomware incidents. He highlighted some positive developments, noting a shift in organizations’ response strategies. Recent data shows a rise in median ransom demands but a decrease in median payouts. Motiwala observed that more organizations are now calling in Incident Response teams, which has made threat actors opt for easier targets. Consequently, in many cases, they settle for whatever they can acquire and move on.
