Geopolitical strife drives increased ransomware activity

Recorded ransomware attack volumes rose by 19% during October 2024 to a total of 468 incidents worldwide, a significant number of them in the US, where the controversial presidential election likely emboldened Russian-speaking threat actors to strike, according to NCC Group’s latest monthly Threat pulse report.

Although the full-scale of attempted Russian state interference in the US election process is not yet fully known, NCC’s head of threat intelligence, Matt Hull, said it was little surprise the final few weeks before the 5 November poll saw ramping amounts of threat activity.

“Geopolitical motivations, like the US election, showed that nation states such as Russia continue to have heavy influence on global volumes of cyber attacks,” he said.

“The data shows that we are witnessing changing dynamics of the threat landscape, with nation states and organised crime groups increasingly collaborating,” said Hull. “As different threat actors leverage each other’s resources, it is crucial for organisations to ensure that they’re on top of fundamental security practices such as password management, endpoint security and multi-factor authentication.”

Indeed, broken out by geography, the North America region – which also includes countries like Canada and Mexico – accounted for 272, or 56%, of the recorded ransomware attacks. In comparison, 97 attacks, 20%, victimised organisations in Europe, so all in all, over three-quarters of all ransomware attacks seen last month targeted these two regions.

Of course, this is not to exclude the rest of the world, and one attack in particular aptly demonstrated the apparent blurring of the lines between nation states and organised criminals. This was an incident in which systems at Japanese electronics giant Casio were crippled by Underground ransomware, which is linked to Russian cyber crime group Storm-0978, or RomCom.

The double extortion attack targeted employee, job candidate and business partner data, and caused outages and service disruptions. It likely began via CVE-2023-36884, a remote code execution vuln in Microsoft Office which is known to have been targeted by Russian state actors; and according to NCC, RomCom is thought to be one of a number of gangs that conduct attacks on behalf of the Kremlin.

NCC said that growing geopolitical tension between Russia and Japan added a “compelling” layer to the incident. Russia, which has held the island of Sakhalin – part of the ancestral homeland of Japan’s indigenous Ainu people – and the nearby Kuril Islands, since the end of the Second World War, is thought to be concerned by Japan’s increasing military collaboration with the Nato alliance, and Moscow protested a recent joint military exercise, Keen Sword 2024, between the US and Japan.

“These military activities and Japan’s bolstered defence posture may have contributed to a rise in aggressive tactics by Russian-affiliated cyber entities,” wrote the report’s authors.

“Attacks on Japanese companies could serve as a form of pressure or retaliation, signalling Russia’s discontent with Japan’s defence strategies. By targeting key Japanese enterprises, Russia, through affiliated cyber criminal groups, might aim to disrupt economic stability and project power without overt military confrontation.

“The situation shows the complexity of modern cyber warfare, where criminal enterprises and state-backed actors could pursue both financial and strategic objectives … As such, businesses should encompass a variety of threats, traditional and state-backed, in their defence strategy.”

RansomHub holds top spot

In terms of the most prolific ransomware operators, it was RansomHub that continued its dominance as the most active gang in October, taking responsibility for 68 attacks, although this was down a little on the previous month.

The second-place spot was held by Play, which accounted for about 55 attacks; followed by Killsec, with between 30 and 40; Sarcoma, with about 30; and Meow, with about 25.

The rest of the top 10 most active operations last month were Fog, Hunters, ElDorado, Medusa and BlackSuit.

Across the board, the industrials sector, which includes operators of critical national infrastructure (CNI), remained the most targeted, accounting for 148, or 30%, of the observed attacks. The consumer discretionary sector (retail) followed, with 100 attacks; and the healthcare sector accounted for 55. 

“As demonstrated through the focus on CNI, attacks are becoming less random and more targeted to organisations that will experience maximum impact,” said Hull.

“Those who rely on ‘up-time’ and hold large amounts of intellectual property or personally identifiable information are high-value targets.”