Threat Trend Report on Ransomware – Statistics and Major Issues in February 2024
Purpose and Scope
This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in February 2024, as well as major Korean and international ransomware issues worth noting. Major ransomware-related issues and ransomware-specific statistical information other than those mentioned in this report can be seen through the following keyword search and statistics menu on the AhnLab TIP (Threat Intelligence Platform; hereinafter referred to as “ATIP”).
Disclaimer: Note that statistics on the number of ransomware samples and number of damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies is based on the information published on the Dedicated Leak Site (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time.
Major Statistics
1) Data Sources and Collection Methods
ATIP uses its internal infrastructure to monitor and analyze the following ransomware information.
- List of malicious files and behaviors detected and collected by AhnLab Smart Defense (ASD)
- List of targeted businesses posted on ransomware groups’ DLS
The number of new ransomware samples and statistics on targeted systems were calculated based on the detection names designated by AhnLab. They were also limited to cases where the detected files and behaviors were diagnosed under the category of “Ransomware/” or “Ransom/”.
- Ransomware/Win.Magniber: Example file detection name
- Ransom/MDP.Magniber: Example behavior detection name
In addition, the detection name obtained at the time of detection may not identify a specific ransomware type, such as Generic, Agent, Edit, or Decoy, or it may be excluded from ransomware statistics due to nondetection or detection name change after the time of detection or changed to another ransomware type.
The targeted company statistics are numbers compiled based on data accumulated from the periodic monitoring of DLS pages maintained by ransomware groups to publicize and pressure damaged companies. A DLS page that is inaccessible or out of date at the time of collection may be excluded from the statistics or counted at a different time than the exact damaged company disclosure.
Therefore, we suggest using the statistics in this report for the overall trend of ransomware samples and damaged systems and specifically the statistics on damaged companies for understanding the overall trend regarding which ransomware groups are actively attacking.
2) Overall Ransomware Statistics
The total number of new ransomware samples collected during the past six months is as follows.
Figure 1. Number of new ransomware samples
The increase in the number of new ransomware samples confirmed in January showed the same pattern in February. In January, the first- and second-place ransomware cases with detection names Babuk and Conti were confirmed to account for most of the new ransomware samples collected. The new samples collected in February had the same detection names, but the number of Conti cases was confirmed to be higher than Babuk.
Although related content will be discussed in more detail in “3) New samples by ransomware,” just like in January, the samples were not actually classified as Conti & Babuk ransomware but confirmed as BlackHunt & Abyss ransomware, which were created by leaking the source code of each ransomware.
The total number of targeted systems and ransomware files used for infection during the same period after removing duplicate data is shown below. (The term “targeted systems” is used for your convenience, but more precisely, it should be understood as systems exposed to infection with detected ransomware files or behaviors.)
Figure 2. Systems and files affected by ransomware
While the statistics on confirmed damaged systems in February did not increase in number, it still showed a high level. This was due to the increase in Magniber ransomware infection attempts starting in early December and remaining relatively high throughout February, as opposed to the relatively low numbers seen in September through November 2023.
In January, the number of systems infected with Magniber averaged approximately 63 per day, whereas February saw a slight decrease to approximately 57 confirmed infections. For specific figures, refer to “Figure 6. Daily number of targeted systems per ransomware February 2024)” below.
The total number of targeted systems based on ransomware behavior detection (MDP) and the number of block reports are as follows:
[그림 3] 랜섬웨어 행위 탐지 기반 피해 시스템/리포트
Although statistics on activity detection systems increased compared to the previous month, it can be seen that the number of systems shows a similar pattern compared to the number in August 2023 (15,691/48,366). Likewise, in the case of Magniber ransomware, there is no indication of file variants or resumption of distribution.
3) New Samples by Ransomware
The statistics below show the 2,627 new samples discovered in February organized by ransomware. Only the top 20 ransomware with the most number of samples are presented.
Figure 4. Number of new samples by ransomware (February 2024)
Compared to last month, the number of new samples increased by approximately 15%. In January, it was Babuk with 1,199 and Conti with 682 in the first and second positions, respectively; in February, however, the first and second positions changed to Conti with 1638 and Babuk with 424, respectively.
The number of ransomware samples and statistical data in this report were generated based on the detection names assigned by AhnLab. The ransomware with detection names Conti & Babuk, which ranked first and second, respectively, in January, were confirmed this month as BlackHunt & Abyss Locker ransomware, respectively, not the actual Conti & Babuk ransomware. This is attributed to leaked Conti and Babuk ransomware source code in 2021-2022, which was used to produce new ransomware.
In addition, while ranked third in the previous month, Magniber was displaced by RA World ransomware with detection name RAWLD, which recorded the third highest number this time. Related content is examined in the “Major Trends” chapter. The number of Magniber ransomware attacks, which is about 50% lower in number than RA World ransomware, was confirmed to be an old sample of the type in circulation from August 2021 to June 2023.
