MOXFIVE Monthly Insights - November 2024
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

Subscribe

November Highlights

In November, ransomware activity continued to evolve with the emergence of several new ransomware variants, including Termite, Frag, and Rec_Rans. These new threats highlight the importance of leveraging threat intelligence to anticipate and defend against increasingly sophisticated ransomware campaigns. At the same time, vulnerabilities such as CVE-2024-40711 and CVE-2024-11667 were actively exploited, underscoring the critical need for timely patch management and robust security practices.

Established groups like Akira, RansomHub, and Eldorado remained highly active, deploying impactful campaigns across various industries. This month’s insights emphasize the dynamic nature of ransomware threats and the urgent need for proactive measures to protect against them.

In November, ransomware attacks targeted a diverse range of industries, with Manufacturing experiencing the highest number of incidents. Construction & Engineering saw a notable share of activity, alongside significant targeting of Technology, Healthcare, and Education.

During November, MOXFIVE assisted with cases involving multiple new ransomware variants.These variants demonstrate diverse tactics, techniques, and procedures (TTPs), impacting organizations across various sectors and geographies.

Below is an overview of these new threats:

Termite: Termite ransomware is the most active ransomware variant to surface in the threat landscape this month. The group behind Termite has quickly targeted organizations in a wide range of industries and countries. For more details, check out the MOXFIVE Termite Threat Actor Spotlight here.

Frag: Threat actors deploying Frag have demonstrated tactics consistent with Akira, including exploiting known vulnerabilities to achieve unauthorized access. Notably, they have leveraged the Veeam Vulnerability (CVE-2024-40711) discussed in the Top Threats section below. 

Rec_Rans: Threat actors deploying Rec_Rans have begun targeting organizations with campaigns that encrypt files and append the '.rec_rans' extension to affected filenames. Due to limited publicly available information about their tactics, techniques, and procedures, further details can be found in this PCrisk resource.

Top Threats section

Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

Veeam Vulnerability (CVE-2024-40711) – A critical deserialization vulnerability in Veeam Backup & Replication software that allows unauthenticated remote code execution. This vulnerability has been exploited by ransomware groups such as Akira, Fog, and Frag to gain unauthorized access and deploy ransomware payloads.

Zyxel Firewall Vulnerability (CVE-2024-11667) –
A critical flaw in Zyxel firewalls enabling attackers to compromise network security. Exploitation of this vulnerability has been associated with Helldown ransomware, allowing attackers to gain initial access to victim networks.

Resilience Spotlight section

Threat intelligence is a critical component of modern cybersecurity, empowering organizations to make data-driven decisions and stay ahead of persistent threats. By understanding the TTPs employed by threat actors, organizations can proactively identify vulnerabilities, anticipate potential threats, and strengthen their defenses against new ransomware variants like Termite, Frag, and Rec_Rans.

Organizations can strengthen their resilience by:

Utilizing Threat Feeds – Leverage intelligence from trusted sources to monitor and address emerging threats, including ransomware variants like Termite, Frag, and Rec_Rans. 

Conducting Threat Hunting –
Proactively search for indicators of compromise (IOCs) and anomalous behaviors informed by known TTPs, enabling early detection and response.

Collaborating with Industry Peers –
Participate in threat intelligence-sharing networks to gain insights into new ransomware tactics and successful mitigation strategies.

Implementing Intelligence-Driven Defenses –
Use threat intelligence to prioritize patching, refine access controls, and enhance incident response planning.

Active Threat Actors section

In November, the following ransomware groups were among the most active, deploying impactful campaigns across a variety of sectors in the United States:

Akira
has remained one of the most active ransomware groups throughout 2024, targeting a range of industries and offering a "deliverable menu" of paid services, including decryptors and data deletion options. In recent months, Akira reintroduced file encryption into its attacks and refined its tactics to enhance operational impact. For more details, check out the MOXFIVE Akira Threat Actor Spotlight here.

RansomHub first appeared as a ransomware-as-a-service (RaaS) operation in early 2024 and has quickly become one of the most widely used ransomware services in the threat landscape. Its unique payment model offers threat actors a 90% commission on paid ransoms, making it especially attractive compared to other ransomware services. For more details, check out the MOXFIVE RansomHub Threat Actor Spotlight here.

Eldorado is a ransomware-as-a-service (RaaS) operation targeting Windows, Linux, and VMware ESXi systems. Known for its double extortion tactics, Eldorado encrypts data and threatens public exposure to pressure victims into paying ransoms.