November 2024: A Record-Breaking Month for Ransomware Attacks

In November 2024, ransomware activity reached an all-time high, with 632 reported victims listed to leak sites. That is more than double the historical monthly average of 307 victims, and far exceeds even the recent months of heightened activity we reported on in our Q3 2024 Cyber Threat report. It also surpasses the previous peak of 527 victims recorded in May 2024, making November the most active month on record for ransomware attacks. 

The question on everyone’s minds is, of course: what happened in November 2024?

Key Ransomware Groups Driving the Surge

The record numbers can be attributed to heightened activity by several ransomware groups. 

At the forefront was RansomHub, a group we covered in detail in our last quarterly report. The group emerged in February 2024 and within a matter of months had established itself as one of the most aggressive and effective players in the ransomware landscape. Its operations have expanded across multiple industries, showing a capability for rapid scaling, as evidenced by the steady climb in number of victims the group posted each month this year, capping off with November’s total of 98. 

Akira, another significant contributor, claimed responsibility for 73 victims. Active since March 2023, Akira has become known for its technical adaptability. November marked an operational peak for this group, with the total representing more than triple the group’s typical monthly victim count. This further cements Akira’s position among the most active ransomware actors.

Other groups, including Kill Security, SAFEPAY, and Qilin, also played prominent roles in November's ransomware activity. Together, the top 5 groups were responsible for nearly 50% of the month’s incidents.

How Attacks Start: What The Scan Data Shows

While we don’t know for certain how threat actors gained initial access to all of these organizations, a closer examination of the November attacks reveals a few patterns. 

VPN Targets

About 13% of the victims posted last month appear to be using VPN products that our team has determined, based on past claims data, to be at a higher risk of being breached by attackers. That’s well over double the baseline rate of around 5% of organizations that show evidence of using this category of VPN in general. 

And the VPN association was much stronger for certain ransomware groups last month. Looking at the same victim data segmented by group, you can see several instances where well over 1-in-4 of the victims have this “higher risk VPN” characteristic, including one at 40%.

These observations align with claims data we’ve analyzed recently that indicates threat actors are increasingly targeting software vulnerabilities and weak credentials, particularly those without multi-factor authentication (MFA) set up for access to their VPNs. We saw a significant rise in the use of VPNs for initial access in ransomware incidents from Q2 to Q3 2024, with that method rising from 4.8% of attacks to 28.6%. Furthermore, our Threat Intelligence and Risk Advisory teams have carried out numerous engagements with policyholders to help prevent ransomware attacks that occur after a threat actor has accessed compromised VPN accounts.

Microsoft Exchange Servers

In addition, nearly 6% of November’s victims were running outdated Microsoft Exchange Servers. Many were running versions released in 2022 and even 2021, still vulnerable to ProxyShell and ProxyNotShell vulnerabilities which have long been a staple for ransomware groups. While it’s not a significant percentage of the overall victim population, it shows that even years later there remains an ocean of unpatched systems for ransomware actors to breach: another reason threat actors don’t need to wait around for the next major vulnerability in order to stay busy.

A Call to Action for Enhanced Preparedness

The record-breaking numbers in November 2024 serve as a stark reminder of the growing scale of ransomware threats. Organizations should prioritize cybersecurity measures including timely patching of vulnerabilities and the implementation of multifactor authentication for all remote access points, particularly VPNs.

As ransomware groups continue to expand their reach, understanding these trends and adapting defenses will be essential for mitigating future risks. Collaboration between industries, governments, and cybersecurity professionals will be crucial in addressing this escalating threat. 

Corvus analysis was made possible with supporting data from eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.