NCC Group’s Threat Intelligence team has released new data analyzing ransomware group activities. A notable finding from the research is that activity from the ransomware gang RAGroup increased by more than 300% since the group’s last known attacks in December 2023. The rise in activity has ranked the group among the top three threat actors for the first time. 

Security leaders weigh in 

Venky Raju, Field CTO at ColorTokens:

“I can’t speculate on why RAGroup escalated their attacks in the last 12 months; however, one of their primary attack vectors is compromised domain controllers followed by lateral movement. The ability for attackers to freely move around the network is a critical issue, and most businesses have underinvested in protecting against such lateral movement.

“Organizations continue to allocate a majority of their cybersecurity spend on edge solutions like firewalls, EDRs, SIEMs, etc. However, we continue to see breaches rise, with attackers leveraging stolen credentials and software vulnerabilities for the initial access. It is time to recognize that no cyber defense technology can address 100% of all incursions, and a zero-trust approach is needed.  

“Businesses should start with implementing microsegmentation with the goal of making it pervasive within their networks. Microsegmentation can disrupt lateral movement within the network, thereby limiting the reach of attackers once they have gained initial access. Microsegmentation is also effective at disrupting command-and-control connections established from compromised systems back to the attacker’s servers. This is often used by attackers such as RAGroup while executing multi-stage attacks.”

Piyush Pandey, CEO at Pathlock:

“In the recent surge of ransomware attacks targeting technology and financial sectors, it’s possible the group exploited a vulnerability in a system or application widely used across these industries. Given the high value of data managed within these sectors, they are particularly vulnerable and attractive targets for cybercriminals. To defend against such threats, organizations in these sectors must implement robust data security measures. Strong access policies are essential to control who can access sensitive systems and data. Additionally, dynamic data access controls should be enforced, including techniques like data masking and attribute-based access control (ABAC). These measures help ensure that sensitive information is only accessible under strict conditions and is obscured when not in use, thereby reducing the potential impact of a data breach.”

Xen Madden, Cybersecurity Expert at Menlo Security:

“The reported 300% surge in RAGroup's operations since December 2023 might not fully represent real-time activities. A strategy that is commonly used among threat actors is that they delay publicizing victim data to amass a significant number of targets, a tactic that appears to be gaining popularity among cybercriminals. This strategy not only inflates perceived threat levels but also manipulates the cybersecurity landscape by introducing sudden perceived increases in threat actor capabilities.

“The 67% rise in attacks by the cyber gang Play underscores the importance of user training and a multi-layered defense strategy. These measures are crucial not just for mitigating risks but also for adapting quickly to the evolving tactics of well-established cyber adversaries. As well as more awareness across a range of business sizes, the increased rates mean more SME businesses could be affected, and these could still be in security denial. So, we recommend all businesses create a contingency plan and take appropriate measures to protect themselves.

“With a 41% rise in attacks on technology firms and a 64% increase on financial services, it’s critical to utilize sector-specific threat intelligence to identify and mitigate unique vulnerabilities. While generic security solutions can address common threats, a tailored approach that reflects the unique aspects of each organization’s threat landscape is essential for effective and efficient cybersecurity. It is debatable whether the rise in these sectors is a deliberate choice or a consequence of companies using technologies that are vulnerable to attacks, including those involving social engineering.

“The ransomware landscape has always been a dynamic and interesting world where groups come and go. The emergence of new groups is typical in the cybercriminal ecosystem, where longevity can vary dramatically; this is a routine aspect to monitor rather than a novel threat. However, when a new group emerges and makes a noticeable impact on the community by affecting either a significant number of businesses or a large business, it becomes clear.

“As far as LockBit goes, the community notes that many of LockBit’s recent victim disclosures may include outdated or duplicate data, suggesting possible operational difficulties, which has led to affiliate distrust. And what is a ransomware group without its affiliates?”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start:

“Cybercriminal activities can often show seasonal spikes due to various factors including economic cycles, geopolitical events, or targeting specific business cycles. The surge in RAGroup’s activity could be due to normal seasonality, acquisition of more sophisticated attack tools, or financial gains from previous attacks prompting further activity. Lapses in cybersecurity measures during vulnerable periods such as the end of the year when IT staff might be on vacation could have provided initial vectors for increased compromise.

“To combat the escalation in attacks by Play, organizations should implement advanced detection systems focusing on behavioral analytics, conduct regular security training, ensure robust data backup practices and enforce network segmentation. These measures can limit the damage and spread of ransomware attacks.

“In the technology sector, enhancing API security and securing development environments are critical. In financial services, monitoring transaction activities closely and bolstering endpoint security can mitigate risks. Both sectors should focus on educating employees about spear-phishing and other social engineering attacks.

“The continued prominence of LockBit 3.0 and the emergence of new actors like Play and RAGroup underscore the need for dynamic cybersecurity strategies. Organizations must integrate these threats into their risk assessments and improve defenses continually. Increased collaboration and intelligence sharing within the cybersecurity community are essential to address these evolving threats efficiently.”

Darren Guccione, CEO and Co-Founder at Keeper Security:

“Threat actors are increasingly leveraging existing malware with modified Tactics, Techniques and Procedures (TTPs), making it crucial to recognize broader and emerging attack vectors. Organizations should pivot strategy from focusing on identifying specific ransomware variants to mitigating the underlying TTPs employed by attackers. The ever-growing number of connections to network resources — including remote workforce, contractors, service providers, partners and customers — has made potential attack surfaces balloon. Continuous monitoring of network and endpoint activities is essential for real-time detection and response, allowing organizations to contain and mitigate the impact of ransomware incidents promptly.  

“To defend against the rapid escalation in ransomware threats posed by established threat actors like RAGroup and Play, it’s crucial for organizations to implement a zero-trust security model to enhance their cybersecurity posture. When it comes to ransomware, or any other cyber threat vector, the best offense is a good defense. A cybersecurity strategy and prudent investment are essential to prevent these types of cyberattacks, because no organization is immune. A zero-trust security model with least privileged access and strong data back-ups will limit the blast radius if a cyberattack occurs. Strong identity and access management at the front end will help prevent the most common cyberattacks that can lead to a disastrous data breach.”