MSSP, Managed Security Services, Ransomware

Ransomware Groups Targeting VPNs for Initial Access: Report

Malware attack virus alert. Person use smartphone with virtual warning sign with ransomware word. warning notification, Cyber threats.

Ransomware threat groups are exploiting security flaws in VPNs and weak passwords to gain initial access into victims’ networks, according to a new report from Corvus Insurance.

In the third quarter, 28.7% of ransomware insurance claims were from attacks initiated through VPNs, due to either outdated software or VPN gateways were guarded by default or weak passwords and no multifactor authentication (MFA) protection, the insurance company found in its Q3 2024 Cyber Threat Report.

MSSPs are playing an important role in defending organizations against increasingly sophisticated ransomware and other cyberattacks, including ensuring clients have a good backup regimen, according to Kevin McGrail, cloud fellow and principal evangelist at DitoWeb, a Google cloud security partner. That said, organizations need to use them.

“MSSPs are growing every day, but there are still plenty of customers doing what I call ‘ostriching’ and pretending the issue is going away,” McGrail told MSSP Alert. “However, things like regulatory requirements and cyber insurers are playing an important part in making sure that customers are handling cybersecurity better.”

Evolving Ransomware Landscape

The initial access through VPNs and weak passwords was one of several key points that came from the data Corvus collected from ransomware leak sites. The Boston-based insurance company said the level of ransomware attacks remained high, with 1,257 victims in the third quarter. There were 1,248 victims in the second quarter.

In addition, 40% of the third-quarter attacks came from five ransomware groups, part of a larger trend that has been emerging in recent quarters.

“The ransomware ecosystem has long been dominated by a few players,” wrote the report’s authors, Corvus CISO Jason Rebholz and Ryan Bell, head of threat intelligence. “Indeed, three groups — RansomHub, PLAY, and LockBit 3.0 — drove the majority of attacks in the last quarter. And yet the extent of those large players’ dominance is consistently diminishing.”

Rebholz and Bell noted that the number of active ransomware groups globally rose to 59, “reflecting an increasingly complex threat landscape and one that’s more competitive than ever before.” The high-profile law enforcement operations against LockBit and ALPHV – also known as BlackCat – continue to have a ripple effect through the ransomware ecosystem.

There are more small-scale groups than there had been, with new ransomware groups emerging and affiliates of the LockBit and ALPHV ransomware-as-a-service (RaaS) operations jumping ship and catching on with other gangs or creating their own variants.

RansomHub Dominates

RansomHub, which emerged in February, is now the dominant ransomware group. It posted a 160% increase in victims – racking up 195 of them – over the second quarter. Cybersecurity firms like Symantec also have put RansomHub at the top of the list.

Others in Corvus’ top five were PLAY, LockBit 3.0 – still a force, though diminished by the law enforcement action against it earlier this year – Medusa, and Akira. Still, Rebholz and Bell wrote that “even though the most powerful groups dominate the victim count, the ransomware ecosystem is getting more competitive.”

Another point made in the report is that the construction and healthcare industries continue to be prime targets for ransomware groups, which are attracted to vulnerable systems in the critical infrastructure sectors and the likelihood that the ransom will be paid.

The Problematic Human Factor

“The persistence of weak credentials and lack of multi-factor authentication on VPN gateways has facilitated these attacks, making secure access controls crucial for mitigating threats,” the authors wrote. “As we approach the end of 2024, organizations, especially in high-risk industries, must strengthen defenses against a persistent and increasingly crowded ransomware landscape.”

The weak credentials and lack of MFA reflect an ongoing issue within cybersecurity. The human element continues to be a key weakness in cyber defenses. In August, The Cloud Security Alliance reported that issues like misconfigurations, inadequate change control, and insecure interfaces and APIs were among the top threats to cloud security. Other issues include people falling for phishing and other social engineering scams and weak passwords, which is driving the push by the likes of the FIDO Alliance, Microsoft, Google, and Apple to ditch usernames and passwords for authentication in favor of other measures, like biometrics or passkeys.

The report by Corvus – a subsidiary of The Travelers Companies – said such common usernames such as “admin” or “user” make companies easier targets for ransomware groups and other threat actors.

Dito’s McGrail noted that MSSPs can help organizations address weaknesses in their defenses and put contingency procedures in place, which, given the increasing levels of activity in cybercrime in general and ransomware in particular, is needed.

“They have to have a plan because it's a when – not if – it will happen even to the best companies on the planet,” he said.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

You can skip this ad in 5 seconds