21% of cyberattacks, which occurred between August 2023 and July 2024, affected organisations in the healthcare sector, up from 18% the previous year. In addition, 15% of attacks targeted the manufacturing industry, while 13% affected technology companies. Attacks against the education sector decreased significantly, from 18% last year to 9% in 2023/24.

This is highlighted by Barracuda Networks in its “Barracuda Threat Spotlight” report on ransomware, which analyzes the most notable trends in ransomware attacks over the past 12 months. In addition, it reveals that lateral movement is the most obvious indicator of a ransomware attack in progress, being detected in 44% of incidents. Another 25% of attacks were identified when attackers began modifying or creating files, and 14% were discovered due to behaviors that did not match usual patterns of activity.

“Ransomware-as-a-service attacks can be particularly difficult to detect and contain because different cybercriminals can employ different tools and tactics to deploy the same malicious payload, leading to a great deal of variability,” said Adam Khan, VP of Global Security Operations at Barracuda Networks.

The rise of ransomware as a service

The study also highlights that the most common ransomware groups operate under a ransomware-as-a-service (RaaS) model. LockBit, for example, was responsible for 18% of known attacks in the past year. Other major players include ALPHV/BlackCat, responsible for 14% of incidents, and Rhysida, a relatively new group, which was behind 8% of identified attacks.

Key Attack Indicators for 2024

According to data from Barracuda Managed XDR’s Endpoint Security, during the first six months of 2024, the top signs of ransomware activity detected were:

  • Lateral movement: Detected in 44% of ransomware attacks, where monitoring systems identified attempts by attackers to move laterally within the network.
  • File modifications: 25% of attacks were detected when the system noticed files being written or modified, analyzing these changes for known ransomware signatures or suspicious patterns.
  • Abnormal behaviors: 14% of incidents were identified thanks to a system that detects unusual behavior on the network, comparing the actions with the typical behavior of users, processes and applications. Deviations such as unusual file access or suspicious activities on the network trigger alerts.

A detailed investigation into a PLAY ransomware attack targeting a healthcare technology company and another 8base ransomware incident affecting an automotive services company revealed that attackers attempt to establish a foothold on unprotected devices to advance to the next phase of their attack and hide malicious files in rarely used folders.

Deep defense and recommendations

Advanced layers of detection are crucial in the fight against active threats like ransomware. Attackers often use legitimate commercial tools used by IT teams and can adjust their behavior and tactics in real time to evade defenses.

Barracuda suggests implementing multi-layered AI-powered defenses, which are essential to detect and mitigate advanced attacks, thereby minimizing the impact. It is also recommended to strengthen authentication and access policies, keep systems up to date with regular patches, and offer ongoing security training to employees.