Security Gaps in VPN Infrastructure Drive Ransomware Surge

Share
Corvus has released its Q3 cyber threat report
Corvus’ Q3 cyber threat report reveals VPN vulnerabilities account for 28.7% of incidents, as RansomHub emerges as leading threat actor

Threat actors are capitalising on fundamental virtual private network (VPN) security deficiencies to execute ransomware campaigns, with VPN-based attacks accounting for 28.7% of all incidents in Q3 2024, according to recently-revealed research from cyber insurance provider Corvus Insurance.

The investigation reveals threat actors are successfully compromising networks through automated brute-force attacks against publicly accessible VPN endpoints. These attacks exploit common configuration weaknesses, including the continued use of default credentials like 'admin' and 'user', coupled with the absence of multi-factor authentication (MFA) protocols.

"Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN," explains Jason Rebholz, Chief Information Security Officer at Corvus.

Jason Rebholz, Chief Information Security Officer at Corvus

He emphasises that organisations need to move beyond basic security measures: "Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability."

The shifting threat actor landscape

The research, derived from ransomware leak site monitoring, documents 1,257 successful attacks in Q3, maintaining the elevated threat levels seen in Q2 (1,248 incidents). Corvus found that five major ransomware operations - RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International - dominated the threat landscape, accounting for 40% of all recorded incidents.

Youtube Placeholder

The data highlights significant shifts in threat actor dynamics. RansomHub, which initiated operations in February 2024 following the law enforcement takedown of LockBit's infrastructure in Q1, has rapidly scaled its operations. The group's victim count surged 160% quarter-on-quarter to 195 reported cases, while LockBit 3.0's operations contracted from 208 to 91 victims.

Ecosystem proliferation

The ransomware ecosystem expanded to 59 distinct operations by Q3's end, demonstrating the increasing fragmentation of the cybercrime landscape. RansomHub's swift rise to prominence - claiming over 290 victims across multiple sectors in 2024 - exemplifies how rapidly new threat actors can establish operational capability.

Key facts
  • VPN vulnerabilities accounted for 28.7% of all ransomware attacks in Q3 2024, making them the leading attack vector.
  • Total ransomware incidents reached 1,257 in Q3 2024, with five major groups responsible for 40% of all attacks.
  • RansomHub's victim count increased 160% from Q2 to Q3 2024, reaching 195 reported cases, while LockBit 3.0 declined from 208 to 91 victims.
  • Construction sector attacks rose 7.8% to 83 incidents in Q3, while healthcare saw a 12.8% increase to 53 reported victims.

Sector-specific targeting

Construction sector entities remained primary targets, with 83 reported compromises in Q3 - a 7.8% increase from Q2's 77 incidents. Healthcare organisations experienced intensified targeting, with reported victims rising 12.8% from 42 to 53 quarter-on-quarter.

"As we look forward, businesses must strengthen defences with multi-layered security approaches that extend beyond MFA," Jason notes. "Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability."


Explore the latest edition of Cyber Magazine  and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. 


Cyber Magazine is a BizClik brand

Share

Featured Articles

Cisco Talos: Tracking Ransomware’s 35 Year Evolution

Martin Lee, Technical Lead for Security Research, Cisco Talos highlights how the ransomware landscape has shifted across the last 35 years

Resilience: Firms Fail to Grasp Cyber Financial Impact

Resilience and YouGov survey reveals 74% of mid to large UK businesses face cybercrime, while ransomware understanding lags behind data breach concerns

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

Cyber Security

Darktrace Reports 692% Surge in Black Friday Cyber Scams

Cyber Security

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI