Purpose and Scope 

 

This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in January 2024, as well as notable ransomware issues in Korea and other countries. Other major issues and statistics for ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (hereinafter “ATIP”). 

l  Ransomware
l  Statistics of by Type

Disclaimer: The number of ransomware samples and targeted systems are based on the detection names designated by AhnLab, and the statistics on targeted businesses are based on the time the information on the ransomware group’s dedicated leak sites (DLS, identical to ransomware PR sites or PR pages) was collected by the ATIP infrastructure.

 

Major Statistics

 

1) Data Sources and Collection Methods
 

ATIP uses its internal infrastructure to monitor and analyze the following ransomware information.

l  List of malicious files and behaviors detected and collected by AhnLab Smart Defense (ASD) 
l  List of targeted businesses posted on ransomware groups’ DLS

 

The number of new ransomware samples and statistics on targeted systems were calculated based on the detection names designated by AhnLab. They were also limited to cases where the detected files and behaviors were diagnosed under the category of “Ransomware/” or “Ransom/”

l  Ransomware/Win.Magniber: Example file detection name 
l  Ransom/MDP.Magniber: Example behavior detection name 

 

The detection names acquired at the time of detection may not allow for the identification of ransomware types (e.g. Generic, Agent, Edit, Decoy, and others), and some cases may be excluded from the ransomware statistics or be counted as a different ransomware type due to changed detection names after detection or a failed detection.

The statistics on targeted businesses are the values that have been organized based on the data accumulated through regular monitoring of ransomware groups’ DLS, where the groups reveal the targeted businesses. If the DLS page was inaccessible or the data was collected belatedly, then the data may have been excluded from the statistics or have been considered to be collected at a time different from the exact date the victim was revealed.

Therefore, this report should be used as a reference to check the general trends of ransomware samples and targeted systems and to see which ransomware groups are actively engaged in attacks through the statistics on targeted businesses to gain a general understanding of trends. 

 

2) Overall Ransomware Statistics
 

The total number of new ransomware samples collected during the past six months is as follows. 

Figure 1. Number of new ransomware samples

The trend of ransomware samples, which showed a sharp decrease from August 2023 to December, increased by about 5.8 times with the change of year. As can be seen in the graph, although the quantity of ransomware collected in August of last year was higher, it is worth noting that there was a sharp increase from the decreasing trend that had been maintained for about four months. 

Babuk and Conti ransomware, which ranked first and second among the 2,283 new samples of ransomware collected in January 2024, are types that were not ranked in the top positions last December. More detailed information on this can be found in section ‘3) New Samples by Ransomware’

The table below shows the total numbers after removing redundant data of ransomware files used in targeted systems and infection. (The term “targeted systems” is used for your convenience, yet it should be understood as systems where ransomware files and behaviors were detected or systems that were exposed to infections.)

 

Figure 2. Systems and files affected by ransomware 

 

The statistics of targeted systems showed a three to fourfold increase in December 2023 compared to November, and in January 2024, it increased by about 24% compared to the previous month (December 2023). 

The increase in the number of targeted systems was attributed to Magniber ransomware infection attempts, which showed a relatively quiet trend in early December 2023 but exhibited relatively high figures throughout January 2024. While there were an average of 48 Magniber-infected systems in December, in January 2024, the average number of Magniberinfected systems was confirmed to be about 63 per day. Refer to the specific values in “Figure 6. Daily number of targeted systems per ransomware (January 2024)”. 

The total number of ransomware behavior detection (MDP)-based targeted systems and blocked report cases are as follows.

Figure 3. Ransomware behavior detection-based targeted systems and reports 

Behavior detection system statistics were aggregated to 6,283 cases, which is a decrease of over 26% compared to the previous month. In the case of Magniber ransomware, since there have been no new variants of files or resumption of distribution, file detection is done first in the product, resulting in a slight decrease in behavior detection.

 

3) New Samples by Ransomware
 

Below are the statistics showing the 2,283 new samples that were discovered in January organized by ransomware type. Only 20 ransomware with the most samples are shown.

Figure 4. Number of new samples per ransomware (January 2024)

Considering the significant increase in the total number of new samples (approximately 5.8 times increase), it can be noted that the quantity of Magniber samples relatively decreased from 156 in the previous month to 102. Magniber samples were identified as the same type of samples distributed from August 2021 to June 2023. 

Furthermore, while the Magniber and Lockbit ransomware ranked high in the previous month, the Babuk and Conti ransomware accounted for approximately 82% of the total quantity this month. Before explaining further, it should be noted that there were source code leakage issues for Babuk and Conti between 2021 and 2022, and based on that source code, numerous new ransomware have been produced.

The ransomware sample quantity and statistical data in this report were generated based on the detection names provided by AhnLab. Upon reviewing the samples occupying the first and second ranks, it was confirmed that Babuk corresponds to the ransomware known as Abyss Locker, and Conti corresponds to the ransomware known as BlackHunt. 

 

SHA2

03fe06b53412285e050869154786dcdf96490a484921e5bd53c056185c7c571c

07904f5d2c568ba138262660e7dd43cc3b9b93692ee9e540a0ec30de9b4227cc

13a5c3b72f81554e04b56d960d3a503a4b08ec77abb43756932a68b98dac1479

181b448f5249d5b7bbf247ef09cb2f82a637f6eee6e806894c8a39c7ec72c2bd

2328bcf67980f91b0512f83ca2270f204ed0213819dbbddea6ad35650f408e3a