I copied [the tweets](https://twitter.com/MsftSecIntel/status/1881751618695094432) from **Microsoft Threat Intelligence** at the Bad Place™ so you don't have to:
1. In the last quarter of 2024, Microsoft Threat Intelligence observed developments in the ransomware ecosystem that researchers and defenders should watch for in 2025.
2. Exploitation of vulnerabilities remains a key method for initial access. In October, the threat actor Lace Tempest, known for exploiting 0-days in file-transfer software, was observed exploiting vulnerabilities in Cleo products (CVE-2024-50623, CVE-2024-55956).
3. This exploitation activity increased in December and, as in past campaigns, Lace Tempest performed double extortion via the Clop leak site. Among ransomware leak sites, however, RansomHub saw the most activity.
4. RansomHub, a RaaS offering that first appeared in February 2024, was quickly adopted by many threat actors, following the disruption of the hugely popular LockBit. In December, however, LockBit operators announced a new version of the ransomware called LockBit 4.
5. Microsoft analysts noted that among improvements in detection evasion, anti-analysis, and encryption, LockBit 4 has a function for a “quiet mode.” While Microsoft has not observed widespread use of LockBit 4, analysts and defenders should take note and monitor.
6. The quiet mode in LockBit 4 can allow threat actors to launch attacks in which file extensions and modification times are preserved after encryption, and ransom notes are not dropped, presenting detection and investigation challenges.
7. Social engineering also continues to be a prevalent initial access method. In this period, threat actors like Storm-1674 and Storm-1811 continued to conduct phishing and voice phishing (vishing) campaigns over Microsoft Teams.
8. In these campaigns, the threat actors impersonate IT and help desk personnel, then misuse Quick Assist and other tools to install remote access trojans (RATs).
9. Storm-1674 is an access broker known for distributing DarkGate, SectopRAT, & Zloader and handing off access to threat actors like Storm-0506 & Sangria Tempest. Storm-1811 is known for social engineering leading to the deployment of BlackBasta using Qakbot and other malware.
10. In late October to early November, Storm-1811 was observed conducting email bombing before posing as help desk personnel offering to help with the email problem. In this new campaign, Storm-1811 was observed deploying a new malware loader called ReedBed.
11. Microsoft Defender data shows that the most widespread ransomware variants in the last quarter of 2024 were Akira, FOG, Qilin, Lynx, and the aforementioned RansomHub and BlackBasta. This period also saw the new ransomware variants SafePay and Hellcat.
12. While the ransomware ecosystem is always evolving, applying durable best practices like credential hygiene, the principle of least privilege, and Zero Trust will continue to help users and organizations protect environments from ransomware threats. https://safe.menlosecurity.com/https://learn.microsoft.com/en-us/security/ransomware/
#threatintel #infosec #cybercrime #ransomware #cybersecurity #storm1674 #storm1811 #clop #lockbit #CVE_2024_50623 #CVE_2024_55956 #cyberthreatintelligence #cti #storm0506 #SangriaTempest #ReedBed #Qakbot #BlackBasta #Zloader #darkgate #qilin #akira #ransomhub
Brian Clark
All GNU social JP content and data are available under the