Threat Trend Report on Ransomware – May 2024 Ransomware Statistics and Major Issues
Objectives and Scope
This report provides statistics on new ransomware samples, attacked systems, and targeted businesses in May 2024, as well as notable ransomware issues in Korea and overseas. Other major issues and statistics for ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (ATIP).
l Ransomware
l Malware by Types
Disclaimer: The number of ransomware samples and targeted systems are based on the detection names designated by AhnLab, and the statistics on targeted businesses are based on the time the information on the ransomware group’s dedicated leak sites (DLS, identical to ransomware PR sites or PR pages) was collected by the ATIP infrastructure.
Key Statistics
1. Data Sources and Collection Methods
ATIP uses AhnLab Smart Defense (ASD) to monitor and analyze the following ransomware information.
- List of malicious files and behaviors detected and collected by AhnLab Smart Defense (ASD)
- List of targeted businesses posted on ransomware groups’ DLS
The number of new ransomware samples and statistics on targeted systems were calculated based on the detection names designated by AhnLab. They were also limited to cases where the detected files and behaviors were diagnosed under the category of “Ransomware/” or “Ransom/”.
- Ransomware/Win.Magniber: Example file detection name
- Ransom/MDP.Magniber: Example behavior detection name
The detection names acquired at the time of detection may not allow for the identification of ransomware types (e.g. Generic, Agent, Edit, Decoy, and others), and some cases may be excluded from the ransomware statistics or be counted as a different ransomware type due to changed detection names after detection or a failed detection.
The statistics on targeted businesses are the values that have been organized based on the data accumulated through regular monitoring of ransomware groups’ DLS, where the groups reveal the targeted businesses. If the DLS page was inaccessible or the collection happened late, then the data may have been excluded from the statistics or have been considered to be collected at a time different from the exact date the victim was revealed.
Therefore, this report should be used as a reference to check the general trends of ransomware samples and targeted systems and to see which ransomware groups are actively engaged in attacks through the statistics on targeted businesses to gain a general understanding of trends.
2. Overall Ransomware Statistics
The total number of new ransomware samples collected during the past six months is as follows.
Figure 1. Number of new ransomware samples
The number of new samples increased by a small amount in May, which is due to the increase in the number of new Stop ransomware samples. The collected files were identified as samples that had been distributed in the past. Other malware with new samples in May will be discussed in more detail in the section “3. New Samples by Ransomware”.
The table below shows the total numbers after removing duplicate data of ransomware files used in targeted systems and infection. (The term “targeted systems” was used for convenience, but it should be understood as systems where ransomware files and behaviors were detected or systems that were exposed to infections.)
Figure 2. Systems and files affected by ransomware
Statistics on targeted systems in May are very similar to those in April. Attempts involving Magniber ransomware infection increased since early December of 2023, and afterward, they maintained fairly high numbers all throughout the first quarter of 2024. The daily number of systems infected with Magniber in April was about 60, and it was similar in May with an average of about 56. For specific values, refer to “Figure 6. Daily number of targeted systems by ransomware (May 2024)”.
The total number of ransomware behavior detection (MDP)-based targeted systems and blocked report cases are as follows.
Figure 3. Reports and targeted systems with ransomware behavior detections
Statistics on MDP-based systems were also similar to the previous month, with their numbers not so different from April 2024. As for Magniber, there were no variants or redistributions of files.
3. New Samples by Ransomware
Below is the statistics showing the 1,142 new samples that were discovered in May, organized by ransomware. Only 20 ransomware strains with the most samples are shown.
Figure 4. Number of new samples per ransomware (May 2024)
The number of new samples collected in May was slightly higher in comparison to the figures in April. This is mainly due to the steep increase in Stop (DJVU) ransomware samples.
Stop ransomware first appeared in 2018 and was usually distributed via exploit kits. Its characteristics include a feature that downloads certain malware (e.g., SmokeLoader, Vidar) before file encryption. Threat actors used such malware to steal information from the infected system before encrypting user files. The collected Stop ransomware samples were all files created in September 2019 with no variants or resumption of distribution.
