Using “admin” as a username for a virtual private network (VPN) is akin to parking your car and leaving the keys in the ignition. You are making it easy; why not leave the car running? This careless practice can make your system vulnerable to ransomware attacks.
According to Corvus Insurance’s Q3 2024 Cyber Threat Report, attackers increasingly exploit these weak points. The report identifies VPN vulnerabilities and inadequate password practices as critical enablers of ransomware attacks, which surged to record levels this quarter.
Corvus analyzed data from ransomware leak sites and found that nearly 30% of attacks stemmed from VPN weaknesses, many tied to outdated software or simple default credentials. The report sheds light on the tactics of cybercriminal groups. It also notes the industries most affected by these crimes.
You can get the full report here; our further thoughts follow.
VPNs as a Gateway for Attackers
Attackers exploiting VPN vulnerabilities accounted for 28.7% of ransomware incidents in Q3 2024. These vulnerabilities often arose from outdated software or poorly secured VPN accounts. Leaving default usernames like “admin” or “user,” combined with a lack of multi-factor authentication (MFA), left many systems exposed to brute-force attacks.
Jason Rebholz, Chief Information Security Officer at Corvus, emphasized the need for robust security measures. “Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” he said. Rebholz urged organizations to go beyond MFA and adopt secure access controls that address current and emerging threats.
Ransomware Landscape Becomes More Competitive
Corvus documented 1,257 ransomware victims in Q3, slightly up from Q2’s 1,248. The report highlights a shift in the ransomware ecosystem. While major groups like LockBit 3.0 saw declines in activity, smaller groups proliferated, increasing competition. By the end of Q3, 59 ransomware groups were active, compared to fewer than 50 earlier this year.
RansomHub emerged as the most active ransomware group, with 195 reported victims—a 160% increase from Q2. Known for its double-extortion tactics, the group has gained notoriety for its ability to turn off security systems using advanced tools like EDRKillShifter. This adaptability has allowed RansomHub to rise to prominence since its emergence in February 2024.
Industry Insights: The Risk Within Construction and Healthcare
The construction sector remained the top target for ransomware attacks in Q3, with 83 victims—a 7.8% increase from Q2. RansomHub and similar groups focused on infrastructure-related industries, exploiting systemic vulnerabilities. Healthcare also saw a significant rise, with 53 victims in Q3, up 12.8% from the previous quarter. The reliance on outdated technology and the sensitive nature of healthcare data make the industry particularly appealing to ransomware operators like PLAY and Medusa.
Although IT services experienced a slight decline in reported attacks, the sector remains a high-value target. Breaches in IT services can cascade, affecting a wide range of customers dependent on these providers.
Increasing Distribution of Ransomware Attacks
The ransomware landscape is becoming increasingly fragmented. Corvus used the Gini coefficient, a metric for measuring dominance, to show that attacks are now more evenly distributed among a growing number of groups. This trend indicates an increasing level of competition in the ecosystem. One that sees smaller players joining the fray while established groups remain active.
Despite this increased distribution, major players such as PLAY and Medusa continued to dominate in several sectors. The diversification of attackers complicates efforts to combat ransomware as new groups introduce unique tactics and tools.
Key Takeaways for Businesses
As many reports like it do, the Corvus report emphasizes the importance of proactive cybersecurity measures. About 30% of ransomware incidents were linked to vulnerabilities in the VPN arena. This underscores the need for strong access controls and comprehensive MFA adoption. Then, within certain industries, like construction and healthcare, there is a need to address specific vulnerabilities.
Ransomware groups continue to evolve and expand. The result and consequence are not surprising. Businesses face persistently high cyber threat levels. Put the car keys somewhere safe.
Other News: The Role of Human Error in Cybersecurity Failures and How to Mitigate It(Opens in a new browser tab).
Other News: London hospitals declare critical incident after cyber attack.
