They say lightning never strikes twice. Unfortunately, ransomware gangs do.
In fact, organizations hit by a ransomware attack are almost six times more likely to be attacked again over the next three months, according to new research by cloud computing and security company Akamai.
For its latest State of the Internet report, Akamai researchers analyzed victim details posted to the leak sites of about 90 ransomware groups over a 20-month period from October 2021 to May 2023.
They found that organizations still reeling from the cost, damage and chaos of a ransomware attack were prime targets for follow-up attacks, either from the same threat actors or a different group.
“While the victim company is distracted by remediating the initial attack, other ransomware groups that are likely scanning for potential targets and monitoring the activities of their competitors can also leverage this window of opportunity and hit the same company,” the researchers wrote.
The report cited an unnamed company that was initially infected by the Clop ransomware gang, and then attacked by two other ransomware groups, RansomHouse and Abyss, who took advantage of the initial compromise. Last month Clop and ALPHV/BlackCat claimed to have compromised cosmetics company Estee Lauder in separate attacks.
Victim organizations remain vulnerable after the initial high-risk three-month window, the researchers said, referencing a real estate business that was hit twice by prolific ransomware group LockBit, first in 2021 and again this year.
“If the victim organizations have not yet closed gaps in their perimeter or remediated the vulnerabilities abused by attackers to breach their networks the first time, they can be used again,” the report said. “And it does not help if the victim chooses to comply with the ransom demands, as they may then be viewed as potential targets by the same group and others.”
Akamai’s advice to ransomware victims: “Realize that you do not have time to recover – the second wave can hit while you are mitigating the first incident. Be sure to have a team looking for the next attack.”
LockBit dominates evolving ransomware space
The report found that following the demise of Conti last year, LockBit is now the dominant ransomware group, accounting for 39% (1091) of all known victims Akamai analyzed over the 20-month period.
LockBit’s victim count was more than four times greater than its nearest competitors, ALPHV/BlackCat and Clop.
In a blog post discussing the report, Akamai's advisory chief information security officer, Steve Winterfeld, said the ransomware landscape was changing as threat actors becoming more aggressive in both their extortion methods and their exploitation of vulnerabilities. The net effect was more successful ransomware campaigns.
“Ransomware groups are willing to pay for the opportunity for financial gain, whether it’s to pay other hackers to find vulnerabilities in their software, or to acquire access to their intended targets via initial access brokers,” he said.
At the same time, there had been a shift from threat actors encrypting victims’ systems to holding stolen data hostage. One example of this trend: in the MOVEit hack, Cl0p has opted to extort hundreds of victim companies by threatening to leak their stolen data rather than encrypting their systems.
“The criminals even tell customers of the victims that they have stolen their data and encourage them to ask the victim company to pay the ransom. This is done to further exert pressure on the victimized organization to pay the demands,” Winterfeld said.
