Attackers Targeting VPNs Account for 28 Percent of Ransomware Incidents in Q3 According to Corvus Insurance Cyber Threat Report

Ransomware Activity for Q3 2024 Dominated by Established Groups including RansomHub, PLAY, and LockBit 3.0.

BOSTON (November 20, 2024) — Corvus Insurance, a wholly owned subsidiary of The Travelers Companies, Inc., today released its Q3 2024 Cyber Threat Report, which showed that attackers leveraging virtual private network (VPN) vulnerabilities and weak passwords for initial access contributed to nearly 30% of ransomware attacks.

According to the Q3 report, many of these incidents were traced to outdated software or VPN accounts with inadequate protection. For example, common usernames such as “admin” or “user” and a lack of multi-factor authentication (MFA) made accounts vulnerable to automated brute-force attacks, where attackers exploit publicly accessible systems by testing combinations of these weak credentials, frequently achieving network access with minimal effort.

“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” said Jason Rebholz, Chief Information Security Officer at Corvus. “As we look forward, businesses must strengthen defenses with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”

The Ransomware Ecosystem

Using data collected from ransomware leak sites, Corvus identified 1,248 victims in Q2, marking the highest number the company has recorded in any second quarter. This level of activity persisted in Q3, when there were 1,257 attacks.

Forty percent of the Q3 attacks can be traced to five groups: RansomHub, PLAY, LockBit 3.0, MEOW, and Hunters International. Of these five, RansomHub was the most active in the quarter, with 195 reported victims (up 160% over Q2), while activity from LockBit 3.0 fell sharply, from 208 victims in Q2 to 91 in Q3.

While the sources behind many of these attacks were relatively consolidated, the ransomware ecosystem did grow over this period, with 59 total groups identified by the end of Q3. This increase is noteworthy since new entrants can quickly become disruptive forces. For example, following law enforcement’s takedown of LockBit in Q1, RansomHub, which emerged in February 2024, quickly filled the void, becoming one of the more prolific and dangerous cybercriminal groups. In 2024, RansomHub has claimed more than 290 victims across various sectors.

Key Industry Trends: Construction Remains Most Impacted Industry in Q3

In the third quarter, the construction industry remained the most impacted sector, with 83 reported victims. That’s up 7.8% from the 77 attacks reported in Q2 and was driven by ransomware groups like RansomHub, which continue to target infrastructure and related sectors. Healthcare organizations also experienced a significant increase, with 53 reported victims, up 12.8% from the 42 victims reported in Q2. 

To learn more, a webinar titled “Analyzing Q3 2024 Ransomware Activity” is scheduled for November 20 at 11 a.m. EST and will feature Corvus experts. Click HERE to register and for more information.