Comparing different cybersecurity firms’ trend reports for the same month can provide a broader and clearer perspective of actual trends

For the month of September 2024, Check Point Research’s (CPR) incident response and customer protection data has been analyzed to reveal several ransomware trends.

First, RansomHub, a relatively new Ransomware-as-a-Service (RaaS) player that emerged in February this year, has quickly risen to dominate the ransomware landscape. It accounted for 19% of all ransomware incidents in CPR’s metrics for September, with two more new victims compared to August data.

Second, LockBit, once responsible for 40% of all ransomware victims in 2022 – 2023, has seen its operational capabilities plummet in recent months. In September 2024, CPR’s own data showed that the group had accounted for just 5% of victims (20 new cases), down sharply from its peak activity in previous years. A significant portion (around 40%) of claimed victims for September had been recycled from previous attacks. This could mean the group is attempting to maintain the appearance of ongoing activity following a major law enforcement crackdown in February 2024.

Other findings

Third, Play ransomware ranked second for CPR’s September metrics, with 43 new victims — compared to its monthly average of 32 victims. Play continued to target US-based firms. Also:

  • Qilin ransomware (Agenda), a Russian-speaking RaaS group, had American and Canadian targets in focus, comprising 86% of victims in those regions.
  • Ransomware group Meow has been shifting fully from encryption-based attacks to data theft and extortion models.
  • In terms of distribution, ransomware attacks in CPR data were most common in the industrial manufacturing industry, followed by those in education and healthcare. In September, RansomHub and Play were the key offenders, particularly in the US data. Geographic distribution of attacks in CPR data showed 48% of all victims were in North America in September, with Western Europe in second place.
  • General conclusions from the data showed that ransomware threat actors were using new tactics such as remote encryption; going after sensitive data instead of all types of data; and focusing on industries with low-hanging fruit.

The firm is recommending real-time AI-driven security solutions and zero trust architectures for defense against such threat trends.