Ransomware attacks surged this year as hackers exploited VPN weakness

A report from Corvus Insurance, a subsidiary of The Travelers, highlights a concerning trend: nearly 30% of ransomware attacks are using VPN weakness - Image (c) ConsumerAffairs

A report found nearly 30% of ransomware attackers exploit VPNs

Virtual Private Networks, or VPNs, have grown in popularity as a way to guard your privacy when you are online. But a new report from Corvus Insurance, a subsidiary of The Travelers, highlights a concerning trend: nearly 30% of ransomware attacks in the third quarter were facilitated by vulnerabilities in VPNs and weak passwords.

In a ransomware attack, a hacker gains entry into a computer or network and encrypts all of the files. They demand payment from the victim, usually in Bitcoin, before un-encrypting the files. While individuals were early targets, ransomware attackers lately have targeted businesses and large institutions, such as hospitals.

The Corvus report shows that many of these cyber incidents were linked to outdated software and inadequately protected VPN accounts. Common usernames like "admin" or "user," combined with the absence of multi-factor authentication (MFA), left systems vulnerable to brute-force attacks. 

These attacks involve cybercriminals testing various combinations of weak credentials to gain unauthorized access to networks with minimal effort.

"Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN," said Jason Rebholz, chief information security officer at Corvus. 

Rebholz urged businesses to adopt multi-layered security strategies that go beyond MFA, which he described as "mere table stakes."

The attacks have steadily increased

The report also provides a detailed analysis of the ransomware landscape. Data from ransomware leak sites indicated 1,248 victims in the second quarter of 2024, with a slight increase to 1,257 in the third quarter. 

Five groups—RansomHub, PLAY, LockBit 3.0, MEOW, and Hunters International—were responsible for 40% of these attacks, the report found. Notably, RansomHub emerged as the most active group, with 195 victims in the third quarter, marking a 160% increase from the second quarter. In contrast, LockBit 3.0's activity decreased significantly.

The number of ransomware attackers is growing, with 59 groups identified by the end of the third quarter. This growth is significant, the report warned, as new entrants can quickly disrupt the landscape. 

After law enforcement dismantled LockBit in Q1, RansomHub, which appeared in February 2024, rapidly became a prominent and dangerous player, claiming over 290 victims across various sectors this year.