Back to Threat Intelligence
Monthly Report28 pages

Ransomware Intelligence Report: December 2024

Key Findings

  • 12 active ransomware groups targeting Australia
  • Average ransom demand increased to AUD $2.1M
  • Triple extortion becoming standard practice
  • Linux/Virtualization platform variants increasing
  • Initial access via phishing (45%) and VPN vulnerabilities (32%)

Executive Summary

December 2024 ransomware activity remained elevated with 12 distinct groups actively targeting Australian organizations. Average ransom demands increased 23% to AUD $2.1M, reflecting attackers' assessment of target value and payment capacity. Triple extortion—data encryption, exfiltration/publication threats, and DDoS attacks—became standard practice among sophisticated groups.

Active Ransomware Groups

Twelve ransomware groups demonstrated active operations against Australian targets. LockBit remained most prolific despite law enforcement disruptions. ALPHV/BlackCat, Play, BianLian, and Rhysida showed increased activity.

  • LockBit: 23 confirmed victims
  • ALPHV/BlackCat: 18 victims
  • Play: 14 victims
  • BianLian: 9 victims
  • Rhysida: 8 victims

Tactics and Techniques

Ransomware operators refined tactics focusing on maximum pressure for payment. Triple extortion combined encryption, data publication threats, and DDoS attacks against victim infrastructure and customers.

  • Data exfiltration before encryption standard
  • DDoS attacks against victims refusing payment
  • Customer/partner notification threats
  • Media outreach to increase pressure
  • Targeted backup destruction

Initial Access Methods

Phishing remained primary initial access vector (45%), followed by VPN/remote access vulnerabilities (32%). Access brokers continued providing initial access to ransomware operators.

  • Phishing emails with malicious attachments
  • VPN vulnerabilities (unpatched or weak credentials)
  • RDP exposure with weak authentication
  • Access broker marketplace purchases
  • Supply chain compromises

Linux and Virtualization Platform Targeting

Hypervisor ransomware variants increased 56%, targeting virtualized infrastructure. These attacks impact multiple virtual machines simultaneously, maximizing damage and pressure.

  • ESXi-specific ransomware variants proliferating
  • Targeting virtualization management interfaces
  • Snapshot deletion to prevent recovery
  • Cross-platform impact (Windows, Linux workloads)

Ransom Demands and Payments

Average ransom demands reached AUD $2.1M, up 23% from November. Actual payments averaged 35% of initial demands after negotiation. Payment rates decreased to 41% as organizations improved backup and recovery capabilities.

Recommendations

  • Implement network micro-segmentation to limit lateral movement
  • Deploy immutable, offline backups tested regularly
  • Implement EDR with behavioral ransomware detection
  • Address VPN vulnerabilities and enforce MFA
  • Conduct phishing awareness training with simulations
  • Develop and exercise ransomware-specific incident response playbooks
  • Deploy email security solutions with advanced attachment analysis
  • Protect and monitor virtualization infrastructure

Need Help Responding to These Threats?

Our security experts can help you assess your risk and implement effective defenses.

Request ConsultationView All Reports