GRIT Ransomware Report: August 2024

Additional contributors to this report: Jason Baker, Ryan Silver, JP Mouton, and Grayson North

In this month’s report, we highlight the Ransomware group, Black Suit, the only ransomware group actively tracked as a “Rebrand” within our taxonomy and continuing the legacy of the preceding “Royal” group. The group appears to have begun operations under the Black Suit moniker in mid-2023 and has continued targeting Windows, Linux, and ESXi environments. Black Suit’s rebranding from Royal was formally acknowledged in a Joint Cybersecurity Advisory in August, and the group experienced its most active month since April, with 17 victims posted to their data leak site (DLS).

Our report also highlights other notable events in August 2024, including the alleged retirement of prominent data broker ‘USDoD’ following his identification, or “dox,” by Crowdstrike. We explore overlaps between the ransomware of the newly emerged group, Cicada3301, and the historical Alphv, also known as Black Cat; we discuss data recycling by Hunters International; and we review LockBit’s posting of potentially historical victims under the illusion of contemporaneous operations. Finally, we examine an advanced phishing and social engineering campaign targeting over 130 organizations across the US. Join us as we study the above and more in our August 2024 ransomware report.

Total Publicly Posted Ransomware Victims	382
Number of Active Ransomware Groups	32
Average Posting Rate (per day)	12.3

Ransomware Trends

August 2024 continued the “Summer slowdown” that we have observed in previous years, a welcome decrease in overall operations when compared to the relative flurry of activity observed at the beginning and end of each year. We observed 382 victims claimed across 32 unique ransomware groups, representing a minor increase in total posts from July (350) and a sizeable decline in distinct active groups (40). This may indicate a gradual reconsolidation of a ransomware ecosystem fractured by law enforcement disruption to LockBit and Alphv following a period of more distributed affiliate operations.

The most impactful threat group in August, RansomHub, saw its highest volume of victims since its discovery and continues unabated as the most impactful ransomware group by victim volume for a third straight month. We observed only two new ransomware groups begin operations in August, though both “hit the ground running” with substantial operations, claiming a greater volume of victims than even some Established groups with established histories.

Ransomware Victims by Country

The United States remains the country most impacted by ransomware through August 2024. Victims within the US accounted for 56% of victim posts observed, the highest percentage of US-based victims that GRIT has observed since the start of 2024.

The United Kingdom reclaimed the second spot for the most impacted country during the month, with 4.7% of claimed victims being from the UK. The United Kingdom has historically ranked amongst the most impacted countries.

Canada has retained its third most impacted spot for August for the second month in a row, remaining within the top five most impacted countries for every month of 2024. It is likely that Canada will remain within the most impacted countries for the remainder of the year.

While we continue to note some diversity in impacted countries, such as Poland emerging in August, the most impacted countries remain almost exclusively “Western” nations, with the notable exceptions of Brazil and India. This reflects common operating rules enacted by ransomware groups which implicitly or explicitly prevent attacks on organizations based in Russia, China, or the Commonwealth of Independent States.

Threat Actor Trends

RansomHub remains the most impactful ransomware group in August 2024, with a steady stream of victims being claimed to their data leak site each week. Month-over-month for at least the last three months, the group has continued claiming higher numbers of victims over time, ending August with its highest monthly volume of  72 victims, nearly doubling the volume of the month’s second most impactful group, LockBit.

LockBit’s operations have continued through August, with notable changes in the impacted victim base. Security researchers have debated the extent to which victims posted by LockBit in August reflect newly compromised victims vs. historical attacks. While this is not an uncommon problem with ransomware groups, we note its significance as the group suffers from clearly degraded operations post-Operation Cronos. While still listed as the second most impactful group with 37 victims in August, LockBit’s contemporary performance is visibly diminished from the same time last year – during which they claimed 122 victims. The group’s future viability and path forward remain uncertain, but LockBit’s continued operations are evidence of likely intent to continue operations and maintain the LockBit brand.

Play rose to the third most impactful ransomware group during August, accounting for approximately 7% of claimed victims for the month with an observed victim count of 28. Play has remained relatively consistent throughout the summer months, with victim counts in the low 20s for June and July. Play impacted US-based victims almost exclusively, with only four Play victims organized outside of US borders.

Threat Actor Spotlight: Black Suit (Rebrand)

Black Suit ransomware is attributed as a Rebrand of the Royal ransomware group, as disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in a joint advisory in March of 2023 and confirmed in August 2024. This confirmation of Royal’s rebrand to Black Suit brings to an end earlier speculation of partial or tangential ties between the two groups based on code similarities and establishes a direct attributable link between the two. Black Suit’s tactics are consistent with those historically used by Royal, including the deployment of cross-platform capabilities that target both Windows and Linux systems. The group continues to use Tor-based onion sites for victim communications.

Black Suit engages in double extortion, threatening to leak victims’ data if ransom demands are not met and providing an additional point of leverage in cases where victims can recover from encryption without needing to purchase a decryptor. Black Suit ransomware’s ability to disable recovery mechanisms such as shadow copies and safe boot modes demonstrates a thorough approach to systems encryption, increasing the likelihood that victims without reliable backups may be unable to recover absent payment. The group’s rebranding from Royal to Black Suit very likely reflects an attempt by the group to evade detection and law enforcement pressure, employing a tactic frequently used by other ransomware groups in preceding years.

Black Suit ransomware leverages several initial access vectors to infiltrate networks, including exploitation of vulnerabilities in VMware ESXi servers. ESXi servers are widely used in cloud computing and enterprise environments, making them valuable targets for ransomware operators. The group’s ability to target both Windows and Linux platforms increases the susceptible attack surface across enterprise environments where both operating systems are commonly deployed.

In addition to exploiting VMware vulnerabilities, Black Suit frequently uses stolen or weak credentials to gain authenticated access to systems. Black Suit is also known to exploit unsecured Remote Desktop Protocol (RDP) services to gain access to victim networks, a well-known attack vector that nonetheless remains prevalent, particularly among Small-to-Midsized Businesses (SMBs). By targeting RDP, Black Suit affiliates can effectively bypass perimeter defenses and execute malicious payload remotely. Once inside the network, the Black Suit ransomware uses the NetShare Enum API to discover network shares and administrative shares, supporting lateral movement and subsequent infection of other systems connected to the network. These initial access vectors demonstrate the group’s ability to exploit common misconfigurations and vulnerabilities in enterprise environments; Organizations that fail to secure RDP services or patch known vulnerabilities in VMware ESXi servers remain at heightened risk of falling victim to Black Suit attacks.

Black Suit has been observed as impacting large organizations where the potential financial impacts of a ransomware attack are significant. The group’s focus on sectors such as cloud services, healthcare, and critical infrastructure may reflects deliberate efforts to target organizations that rely heavily on digital operations and cannot afford extended downtime. These sectors often use VMware virtualization technology, which is a key target for Black Suit, as the compromise of a single ESXi server can lead to the disruption of multiple virtual machines and services. Black Suit has disproportionately impacted regions where enterprise adoption of cloud services and virtualized environments is widespread, such as the United States, the United Kingdom, and Canada. The ransomware group’s concentrated impacts against organizations in these regions could reflect a strategic approach to maximize illicit revenue by targeting organizations with significant financial resources and a dependence on uninterrupted digital operations. Linux-based environments have also become a more prominent target for Black Suit, with many organizations in the enterprise and cloud computing sectors choosing Linux-based systems for their scalability and flexibility. The increased frequency with which ransomware groups develop Linux variants, as seen with Black Suit, highlights the increasing importance of securing non-Windows platforms both on-premises and in the cloud.

Other Notable Ransomware Events

New Ransomware Groups Tracked by GRIT in August 2024:

GRIT identified and began tracking two new ransomware groups in the month of August. The threat groups, Lynx and Helldown, both entered the ransomware ecosystem with purpose, respectively claiming 21 and 18 victims during August alone. As a result, Lynx has been noted in this report as the fourth most active ransomware group by victim volume, surpassing even the Established groups Qilin, Bianlian, and Hunters International. The seemingly high initial operating tempos exhibited by both Helldown and Lynx could result from accumulated victims released contemporaneously, from the presence of experienced affiliates, or the Splintering or Rebranding of other historical ransomware operations of varying maturity levels. GRIT will continue to monitor these groups for indicators of intent to continue operations or to determine whether either may “flame out” as short-term Ephemeral groups.

A Glitch in the Matrix

Late-August 2024 analysis by Morphisec and Truesec report overlaps between the ransomware of the newly emerged Ransomware-as-a-Service group, Cicada3301, and Alphv, also known as Black Cat. Cicada3301 began posting victims to its data leak site in June 2024, shortly after a series of recruiting posts made to the illicit forum RAMP. Alphv, formerly one of the most prolific Established RaaS groups, appears to have ceased operations under their moniker in the wake of an “exit scam” in February-March 2024 after allegedly extorting a $22 Million ransom payment and withholding the affiliate’s share, the group’s administrators announced they would be shuttering and selling the ransomware’s source code.

Similarities noted in the analyses include the use of the Rust programming language, ChaCha20, for encryption and similarities in the ransomware’s commands and command parameters.  Separately, we note that other details of the intrusion and ransomware provided by TrueSec and Morphisec, such as the use of ScreenConnect for lateral movement and PsExec for execution, overlap with historical tools deployed by Alphv affiliates. While these similarities are intriguing and do suggest possible commonality of personnel or affiliates between Cicada3301 and Alphv, they are insufficient to indicate a wholesale Rebrand or organized Splintering event.

We have historically assessed a Rebrand of Alphv as less likely based on the apparent credibility of its affiliates’ “exit scam” claims, which we would expect to hurt future recruitment of affiliates and the overall reputation of the group. We lack reporting indicating an organized Splintering of the group and have instead observed contraindicative reporting of at least some subset of the group’s affiliates – Scattered Spider – working with multiple other RaaS groups following Alphv’s seeming dissolution. For these reasons, we find either the participation of former Alphv members in Cicada3301’s operations or the intentional repurposing of historical Alphv ransomware code as the most likely sources of the overlaps ably reported by Morphisec and Truesec.

Marshalling Conflicting Claims

On Monday, 26 August, the Ransomware-as-a-Service group, Hunters International, claimed a high-profile victim on its data leak site – the United States Marshals Service (USMS). In a statement to Bleeping Computer, the USMS declared that they had “evaluated the materials posted by individuals on the dark web, which do not appear to derive from any new or undisclosed incident,” a statement seemingly at odds with numerous screenshots and sample files uploaded to the Hunters International data leak site.

The USMS previously made headlines in February 2023, when ransomware was reported to have taken down a portion of the Service’s systems for upwards of 10 weeks. Open-source reporting indicates that the attack may have impacted the USMS’ Technical Operations Group, a finding supported by a cursory review of the file names posted on Hunters’ data leak site. Furthermore, Bleeping Computer has confirmed that the data posted by Hunters is the same data published by the user “Tronic” on an illicit forum in 2023, shortly after the reported attack. GRIT has reviewed the initial post from March of 2023, titled “350 GB from U.S. Marshal Service (USMS)” on the illicit forum, XSS, with an asking price of “$150K,” and the post’s claims align with the data posted to date by Hunters International.

How this previously breached data came to be posted on Hunters’ data leak site has not been publicly reported, though we note that the participation of the “Tronic” user as a current Hunters International affiliate or an attempted resale by a former buyer are two plausible explanations. We highlight this particular instance not to lend credibility to the group or a particular intrusion but instead to call attention to another case study in ransomware threat actor claims.

Firstly, victims claimed by threat actors may or may not originate from a ransomware intrusion at all and may have occurred at differing times from when the attack is claimed; we do not assess this to be the case in the majority of victim claims based on the frequency of overlaps between victim posts and victim acknowledgments. In this case, it is likely that Hunters International has claimed the USMS in order to create the impression of a new or recent intrusion rather than a historical one. Whether the group has done so for “clout” or to support a secondary ransom demand is unclear.

Secondly, information “sold” or “deleted” by threat actors becomes impossible to verify, as is the case when ransomware victims pay to prevent the publication of sensitive exfiltrated data. Contemporary law enforcement investigations have shone new light on the tendency for ransomware groups to maintain data that they have agreed to delete post-ransom payment in at least some portion of attacks. This enables data to be reused, resold, or broken down into smaller component portions for later reuse or resale. While we do not know the chain of custody for the data posted by “Tronic” through Hunters International’s post, the reposting of historically compromised and circulated or sold data under the pretense of a new intrusion has occurred before and will likely occur in the future.

This is a great opportunity to remind readers of a common trope – Ransomware actors are criminals. In all engagement or reporting, claims made by such actors must be viewed skeptically and validated whenever possible.

A Curtain Call for USDoD

‘USDoD’, a threat actor also known on the dark web by the aliases ‘NetSec’, ‘Scarfac33’, and ‘Equation Corp’, has been unmasked after years of financially motivated attacks against primarily US organizations. ‘USDoD’ has built a reputation with threat actors and the threat intelligence community in recent years by selling stolen data directly on dark web forums such as Breached Forums and the now defunct Raid Forums. It was on Breached Forums where ‘USDoD’ made their most recent splash, posting in April 2024 over 2.9 billion records of personally identifiable data on US-based individuals for sale; USDoD had allegedly stolen the records from National Public Data, a background check company. After the actor proved unable to sell the data, a related persona posted a subsection containing a third of the data for public consumption.

The National Public Data breach is one of the most recent attacks perpetrated by ‘USDoD’ but does not appear to have been the one that would ultimately lead to their downfall. In July 2024, ‘USDoD’ leaked over 100,000 indicators of compromise (IOCs) relating to Brazilian threat actors, which were collected by the cybersecurity company CrowdStrike. Through the course of investigating this disclosure, researchers at CrowdStrike were able to tie the ‘USDoD’ persona to the identity of Luan D., a 33-year-old man from Brazil and the alleged operator of the notorious persona. Crowdstrike would go on to pass this information to law enforcement before the information emerged publicly in August.

In a statement to HackRead.com, ‘USDoD’ did not try to dispute the allegations of their true identity, instead tacitly acknowledging the finding by saying, “Congrats to CrowdStrike for doxing me, they are late for the party.” Researchers at multiple entities had apparently unmasked Luan in the past. This revelation about USDoD’s identity may have led the actor into an early retirement, with the actor telling HackRead, “I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born.” The actor later proceeded to delete their accounts on the social media sites X and Telegram, telling their community on Telegram that “Whatever happens to me I wont [sic] run from this I wont [sic] mention [names] sorry for everything.” As implied by this, It is almost certain that other individuals assisted Luan in his crimes over the years, some of whom may be identified by law enforcement as co-conspirators in the near future. For now, a major force in the data theft community appears to have been silenced.

DFIR Blog Regarding Social Engineering

In late August, GRIT became aware of an advanced phishing and social engineering campaign that targeted over 130 different organizations. As part of this campaign, users within the targeted organizations were called and/or sent SMS text messages to personal cell phones to establish initial contact, a tactic unlikely to leave a central trail or provide easy insight for normal security tooling.

Victims did not report any discernable accent during the calls made by the threat actors, indicating that native English speakers may have been involved in this particular campaign. During their conversations, the threat actors sought to convince users to navigate phishing pages spoofed to include VPN branding at domains where the targeted victim’s organization was mirrored in the page name, such as ciscoweblink[.]com/exampledomain.com. In addition, the threat actor created several custom phishing pages, which mimicked the specific VPN provider associated with the targeted organization. These two tactics indicate that the TA almost certainly conducted significant research when selecting targets and went to elaborate lengths to ensure the phishing pages would be believable to victims.

GRIT has observed similar sophisticated social engineering attempts attributed to Scattered Spider, the alleged offshoot of “The Com” online community, which gained infamy last year with multiple successful attacks against large casinos in Las Vegas. In those incidents, the group reportedly impersonated employees in calls to the respective organization’s helpdesk, potentially based on open-source research from social media sites such as LinkedIn. During the calls, an apparent native English speaker without a discernable accent requested assistance accessing their accounts, later potentially gaining access via this charade in at least one instance. At the time of this report, we lack sufficient reporting or evidence to tie this behavior conclusively to Scattered Spider actors, though we note that the overlapping Tactics, Techniques, and Procedures (TTPs) make a connection possible. If the activity were to be tied to Scattered Spider, we would expect to eventually see overlaps between the observed organizations targeted and the data leak sites of associated ransomware groups, including RansomHub and Qilin.

LockBit Hasn’t Bit the Dust

Devoted readers of these reports will note that we have doggedly reported on the differences in the group’s operations as of late; GRIT previously assessed that the group may have changed its operating and targeting structure after the disruptions from law enforcement. This trend continued in August, where LockBit appears to have continued to create the impression that “all is well”. Though the LockBit brand has sustained substantial reputational damage in the wake of numerous international law enforcement disruption efforts, the group continues to post victims at a relatively high rate, with 37 victims claimed in August.

Notably, GRIT has been unable to confirm the legitimacy or recency of all of LockBit’s August posts. In at least one instance, LockBit claimed a victim organization that appears to have long since shuttered. In other cases, victims had been previously claimed by LockBit or even other groups in preceding years. In one example, a listed victim had previously been claimed by LockBit in March 2022, and in another, a listed victim had been claimed by Alphv in February 2022. We consider the most likely explanation for this activity as an attempt to “pad the numbers,” garnering or holding attention for the LockBit brand in the face of criticism that LockBit is a brand and group in decline.

LockBit’s behavior forces us to consider the probability that the group could be using a backlog of historical victims or “sitting on” old data to inflate victim volume over time; as we reviewed in earlier segments, threat actors have repeatedly demonstrated an opportunity to “shift” or repost historical victims as a means to establish credibility. Alternately, there remains the possibility that LockBit is still finding success with targeting and impacting many small and medium-sized businesses. Although experienced “big game hunter” affiliates may have left LockBit’s operations, the group may still prove sustainable and viable at a reduced volume in the near term.

We have previously assessed that LockBit is likely to “fizzle out” following Operation Cronos earlier this year; while we continue to assess that this operation significantly impacted the LockBit group, we no longer believe that the group will “go gentle into that good night,” and instead assess that degraded operations under the LockBit banner are likely to continue at least in the near-term.

Final Thoughts

August 2024 saw minor month-over-month growth in the overall volume of ransomware, potentially signaling recovery and normalization from the economy’s shakeups earlier this year. This slowdown is mirrored in the number of distinct active groups, which shrank by 20% from July to August, potentially indicating a settling or consolidating effect within the wider ecosystem.

Based on data from recent months, we assess that RansomHub will remain among the most impactful ransomware groups by victim volume and that other Established groups will emerge and fall from the rankings based on their performance over time. Akira, Play, and Hunters International have remained “the usual suspects in this regard. The increased frequency with which we observe seemingly new groups with high operational tempo will be a prime point of focus for us as we work to identify and separate potential Splinters, Rebrands, and Emerging groups with experienced affiliates in their ranks.

Over the course of this report, we’ve detailed some of the ways in which ransomware threat actors continue to attack, obfuscate, and develop in their TTPs; we’ve also seen the long-term impacts of disruptive law enforcement operations and successful attribution of financially motivated cybercriminals. As 2024 begins to wind down, the year seems poised to close with mixed results: stabilizing ransomware victim volume may hold long enough to end multiple years of exponential growth, but the threat persists at record-high (if stable) levels. The silver lining of this activity is the potential correlation between law enforcement and threat intelligence efforts, signaling a clear return on investment and reasoning for such efforts to continue and repeat in the future. To put it more succinctly and close the report, GRIT will continue to monitor and report on the changing ransomware landscape in the months ahead; while disruptive efforts and research to date have been insufficient to completely resolve the threat of ransomware, we look forward to continued future reporting on the degradation and forced realignment of threat actors under concerted external pressure.

The GRIT Ransomware Taxonomy

​​By subdividing ransomware groups, GRIT can obtain more detailed insights into how ransomware groups progress in their level of operational maturity and can classify and identify potential rebranding activity.

We distinguish ransomware groups by placing them into these six categories:

EMERGING

This category is reserved for new ransomware groups within their first three months of operations. These organizations may be short-lived, resulting in an Ephemeral group; may be determined to have Splintered or Rebranded from an Established group; or may move on to further develop their operations and TTPs over time.

EPHEMERAL

These groups are short-lived, with varied but low victim rates. Observed victims are usually posted in a single or short series of large postings rather than a continuous flow over time. Ephemeral groups, by definition, terminate operations, spin-off, or rebrand within three months of formation. These groups may or may not have dedicated infrastructure (i.e., data leak sites and chat support) as part of their operations.

DEVELOPING

These groups have conducted operations for three months or longer, resulting in a recurring flow of victims. Developing groups do not appear to be directly linked to other ransomware groups as a Splinter or Rebrand but may include some experienced ransomware operators. Developing groups generally improve their people, processes, or technology over time by recruiting additional members, refining TTPs, or improving the quality of their associated ransomware and encryption. These groups generally have dedicated infrastructure (i.e., data leak sites and chat support) as part of their operations.

SPLINTER

These groups consist of a plurality of members from previously Developing or Established groups and may have formed either by choice or due to exclusion. These groups may be identified by very similar or overlapping TTPs and tooling or through HUMINT gathered through interactions with personas on the deep and dark web. Splinter groups differ from Rebrands by the continued existence of the original organization as the Splinter group operates.

REBRAND

These groups consist in whole, or in part, of former Developing or Established groups. Rebrands often maintain the same people, processes, and technology as the original group. Rebrands are generally undertaken in order to minimize attention from law enforcement or intelligence officials or to avoid negative publicity. 

ESTABLISHED

These groups have operated successfully for at least nine months and have well-defined and consistent tactics, techniques, and procedures. Established groups often possess functional business units that enable sustained ransomware operations, with specialists focused on areas such as personnel, encryption, negotiations, etc. These organizations successfully employ technology and redundant infrastructure to support their operations. 

There are multiple routes a group can take through the various classifications, and no one route is standard. While one group may begin as “Ephemeral” and move their way through the ranks to “Full-time,” another group may enter as a “Rebrand” as part of a larger obfuscation strategy to avoid attention from law enforcement.