Threat Trend Report on Ransomware – Statistics and Major Issues in April 2024
Purpose and Scope
This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in April 2024, as well as notable ransomware issues in Korea and other countries. Other major issues and statistics for ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (hereinafter “ATIP”).
Disclaimer: The number of ransomware samples and targeted systems are based on the detection names designated by AhnLab, and the statistics on targeted businesses are based on the time the information on the ransomware group’s Dedicated Leak Sites (DLS, identical to ransomware PR sites or PR pages) was collected by the ATIP infrastructure.
Major Statistics
1) Data Sources and Collection Methods
ATIP uses its internal infrastructure to monitor and analyze the following ransomware information.
- List of malicious files and behaviors detected and collected by AhnLab Smart Defense (ASD)
- List of targeted businesses posted on ransomware groups’ DLS
The number of new ransomware samples and statistics on targeted systems were calculated based on the detection names designated by AhnLab. They were also limited to cases where the detected files and behaviors were diagnosed under the category of “Ransomware/” or “Ransom/”.
- Ransomware/Win.Magniber: Example file detection name
- Ransom/MDP.Magniber: Example behavior detection name
The detection names acquired at the time of detection may not allow for the identification of ransomware types (e.g. Generic, Agent, Edit, Decoy, and others), and some cases may be excluded from the ransomware statistics or be counted as a different ransomware type due to changed detection names after detection or a failed detection.
The statistics on targeted businesses are the values that have been organized based on the data accumulated through regular monitoring of ransomware groups’ DLS, where the groups reveal the targeted businesses. If the DLS page was inaccessible or the collection happened late, then the data may have been excluded from the statistics or have been considered to be collected at a time different from the exact date the victim was revealed.
Therefore, this report should be used as a reference to check the general trends of ransomware samples and targeted systems and to see which ransomware groups are actively engaged in attacks through the statistics on targeted businesses to gain a general understanding of trends.
2) Overall Ransomware Statistics
The total number of new ransomware samples collected during the past six months is as follows
Figure 1. Number of new ransomware samples
The number of new samples increased by a small amount in April, which is due to the increase in the number of new LockBit ransomware samples identified in March. Other malware with new samples in April will be discussed in more detail in the section “3. New Samples by Ransomware”.
The table below shows the total numbers after removing duplicate data of ransomware files used in targeted systems and infection. (The term “targeted systems” was used for your convenience, yet it should be understood as systems where ransomware files and behaviors were detected or systems that were exposed to infections.)
Figure 2. Systems and files affected by ransomware
Statistics on targeted systems are very similar to those in March. Attempts involving Magniber ransomware infection increased since early December of 2023, and afterward, the numbers fairly maintained high all throughout the first quarter of 2024. The daily number of systems infected with Magniber in March was about 56, and it was similar in April with an average of about 60. For specific values, refer to “Figure 6. Daily number of targeted systems by ransomware (April 2024)”.
The total number of ransomware behavior detection (Multi-Dimensional Prevention)-based targeted systems and blocked report cases are as follows.
Figure 3. Affected systems where ransomware behavior was detected and reports
Statistics on MDP-based systems were also similar to the previous month, with their numbers not so different from March. As for Magniber, there were no variants or redistributions of files.
3) New Samples by Ransomware
Below are the statistics showing the 865 new samples that were discovered in March, organized by ransomware types. Only 20 ransomware with the most samples are shown.
Figure 4. Number of new samples per ransomware (April 2024)
The number of new samples collected in April was slightly higher in comparison to the figures in March. This is due to the number of LockBit ransomware samples which placed second in the new sample count rankings in March showed a threefold increase.
Gandcrab, which had the most samples in March with 133, also saw a decline but still placed second in the April statistics. The Gandcrab ransomware had been actively distributed for a long period of over a year from early 2018 to the second quarter of 2019. It caused serious harm worldwide with numerous variants. However, its activities were only observed until 2019, and the developer had announced plans to halt development, so the malware has currently disappeared. The GandCrab ransomware samples collected by AhnLab Smart Defense (ASD) in April were all found to be files that were created and distributed from April to June 2018, with no variants or resumption of distribution.
Magniber samples, which are always on the top of the rankings, were identified as those of a type that was distributed between August 2021 and June 2023.
