Phobos Emerges as a Formidable Threat in Q1 2024, LockBit Stays in the Top Spot: Ransomware in Q1 2024

LockBit continues to reign with black horse Phobos coming in second

Trend threat intelligence revealed that ransomware groups started relatively slow this year, with 2,661,519 ransomware threats detected and blocked by Trend Micro across email, URL, and file layers. This is less than half of the detected and blocked ransomware threats recorded in the first half of 2023, which racked up 6.7 million total detections.

Despite recent setbacks and an observed decline, LockBit takes the top spot with 1,360 detections, making up 3.1% of the total ransomware families in terms of file detection in the first quarter of this year, topping the list across all three months. However, the high number of detections could be attributed to various ransomware groups using the leaked LockBit 3.0 ransomware builder; this includes groups affiliated with LockBit, as well as those unaffiliated to the gang, such as DragonForce and Bl00dy. Prior to its takedown, we came into possession of a sample that we believe to be LockBit’s latest version, an in-development version of a platform-agnostic malware-in-testing we are tracking as LockBit-NG-Dev. We believe this would have formed the basis of a LockBit 4.0 that the group can be assumed to have been working on.

Another RaaS group, Phobos ransomware, follows behind LockBit, making up 1.5% of detections in the first quarter. Phobos ransomware detections peaked in March alongside LockBit; the former had 240 detections, almost half of the latter’s 576 detections. Phobos ransomware activity has been reported since 2019; in February this year, the US Cybersecurity & Infrastructure Security Agency (CISA) published a cybersecurity advisory on the gang’s modus operandi.

Meanwhile, StopCrypt followed closely behind Phobos, making up 1.4% of the first quarter detections in 2024. The gang was most active in January with almost the same number of detections as Phobos, at 238, which is 64.5% of LockBit’s 369 detections for that month. Earlier this year, a new StopCrypt variantnew StopCrypt variant with a multi-stage execution process using shellcodes for evasion was observed in the wild.

The relatively new player, TargetCompany, comes in fourth, with 571 total hits in the first quarter, making up 1.3% of total detections. Major player Conti follows closely behind with 554 detections; It should be noted that our telemetry detects the LockBit Green version as Conti, from which the version is based. Conti’s high number of detections could also be attributed to other ransomware groups using its leaked ransomware. While it didn’t make the top five most prolific ransomware families in the first quarter of this year, notorious BlackCat follows Conti by file detection, with 496 hits.

Figure 1. The top five ransomware families in machines per month for the first quarter of 2024, in terms of file detections

Source: Trend threat intelligence

Enterprises took the brunt of ransomware attacks in the first quarter

Ransomware actors targeted enterprises the most in the first quarter of 2024. Our data shows 78.2% of detections were for enterprises, and attacks peaked in March at 11,804. Curiously, gangs focused the least on small- and medium-sized business in the first quarter this year with attacks on this segment making up only 6.7%. This is in contrast to last year, when small businesses were more commonly targeted; it is assumed that small- and medium-sized businesses are more favorable targets due to their limitations on security infrastructure for security.

Figure 2. Ransomware detections in the first quarter of 2024 by business segment in terms of file detections

LockBit hit enterprises the most with Conti and BlackCat coming in second and third in terms of most active ransomware families targeting enterprises in the first quarter of 2024.

TargetCompany left an impression making up 1.5%, overtaking Phobos in targeting that business segment. TargetCompany has been observed to attack vulnerable database servers. In 2023, its latest version, Xollam, jumped on the phishing trend using malicious OneNote files to gain initial access to its victim’s systems.

LockBit also topped the ransomware families that targeted small- and medium-sized businesses, but its attacks on the segment is only a measly 2.0% of its total attacks in terms of file detections. Meanwhile, StopCrypt takes the top spot in families that hit consumer businesses.

Figure 3. The top five ransomware families that targeted enterprises, consumer, and small- to medium-sized businesses in terms of file detections

Eyes on the prize: ransomware actors targeted organizations in the banking industry the most

Ransomware gangs targeted the banking sector the most in the first quarter of 2024; this focus could be attributed to the continuous adoption of cryptocurrencies in that industry. Government sectors remain a favored target as conflicts between countries continue, while attacks on organizations in the technology sector take the third spot. Previously a hot target during and after the pandemic, the healthcare industry has descended to sixth place.

Conti and BlackCat were part of the top ransomware families in the top targeted sectors across three months, except for the tech sector in February when Akira, Egogen, and Phobos were the most active.

Figure 4. The top six industries targeted by ransomware families in the first quarter of 2024 by file detection

Organizations in Turkey make up over a quarter of the victim count in the Q1 2024

Our threat intelligence showed that Turkey recorded 6,310 hits in terms of ransomware file detections, making up 14.6% of the total detections in the first quarter of 2024. Spikes like this have been previously observed in this region.

The United States comes in second with 5,052 detections, or 11.7%; previously, the United States held the top spot in terms of successful ransomware-as-a-service (RaaS) and extortion attacks, according to ransomware group leak sites and Trend’s OSINT research.

Germany follows the US closely, making up 11.3% of the quarter’s detections, while Japan and Kuwait round out the top five countries most targeted by ransomware actors in the first quarter of 2024.

Figure 5. The top five countries targeted by ransomware gangs in the first quarter of 2024 in terms of file detections

Stay ahead of the risk of ransomware attacks with a proactive approach to security

Despite an overall decrease in ransomware activity relative to the latter half of the previous year, the adaptability of certain ransomware families, notably LockBit and Phobos, underscore the importance of constant vigilance and robust cybersecurity practices particularly for enterprises, which have emerged as prime targets in the first quarter of 2024. This indicates a strategic shift away from smaller businesses, which had previously been heavily targeted. This may reflect a change in ransomware operators' perceptions of potential rewards and the efficacy of their attacks.

While ransomware families continue to innovate, many groups continue to opt for easy ways in, as evidenced in LockBit and Conti’s leaked ransomware being used by other gangs, that contributed to the number of their detections despite the former’s takedown earlier this year and indictments on actors believed to be associated with the latter. Ransomware may have started slow in 2024, but the existing data implies that the threat actors are regrouping, rearming, and possibly preparing for more sophisticated, severe, and better targeted campaigns in the months to come.

Organizations can mitigate the risk of ransomware attacks by adopting a proactive cybersecurity mindset and implementing the following security best practices:

• Enable multifactor authentication (MFA). Organizations should implement policies that require employees who access or store company data on their devices to enable MFA as an added layer of protection to prevent unauthorized access to sensitive information.
• Back up your data. Organizations should follow the “3-2-1 rule” to safeguard their important files: Create at least three backup copies in two different file formats, with one copy stored off-site.
• Keep systems up to date. Organizations should update all their applications, operating systems, and other software types as soon as vendors and developers release patches. Doing so minimizes the opportunities for ransomware actors to exploit vulnerabilities that enable system breaches.
• Verify emails before opening them. Malicious actors rely on tried-and-tested ways to compromise systems, such as using embedded links or executable downloads attached in emails sent to employees to install malware. Organizations should train their employees to be aware of such methods to avoid them.
• Follow established security frameworks. There’s no need to reinvent the proverbial wheel. Organizations can craft cybersecurity strategies based on the security frameworks created by the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST). The security measures and best practices outlined in these frameworks can guide members of an organization’s security team in developing their own threat mitigation plans.

Organizations can strengthen their cybersecurity infrastructure through multilayered detection and response solutions that can anticipate and respond to ransomware movements before operators can launch an attack. Trend Vision One™ is equipped with extended detection and response (XDR) capabilities that gather and automatically correlate data across multiple security layers — including email, endpoints, servers, cloud workloads, and networks — to prevent ransomware attack attempts.

Organizations can also benefit from solutions with network detection and response (NDR) capabilities, which can give them broader visibility over their network traffic. Trend Network One™ provides security teams with the critical network telemetry they need to form a more definitive picture of their environment, accelerate their response, and avert future attacks.