Corvus’ Q3 cyber threat report reveals VPN vulnerabilities account for 28.7% of incidents, as RansomHub emerges as leading threat actor.
Threat actors are capitalising on fundamental virtual private network (VPN) security deficiencies to execute ransomware campaigns, with VPN-based attacks accounting for 28.7% of all incidents in Q3 2024, according to recently-revealed research from cyber insurance provider Corvus Insurance.
The investigation reveals threat actors are successfully compromising networks through automated brute-force attacks against publicly accessible VPN endpoints. These attacks exploit common configuration weaknesses, including the continued use of default credentials like ‘admin’ and ‘user’, coupled with the absence of multi-factor authentication (MFA) protocols.
“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” explains Jason Rebholz, Chief Information Security Officer at Corvus.
He emphasises that organisations need to move beyond basic security measures: “Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”
The shifting threat actor landscape
The research, derived from ransomware leak site monitoring, documents 1,257 successful attacks in Q3, maintaining the elevated threat levels seen in Q2 (1,248 incidents). Corvus found that five major ransomware operations – RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International – dominated the threat landscape, accounting for 40% of all recorded incidents.
The data highlights significant shifts in threat actor dynamics. RansomHub, which initiated operations in February 2024 following the law enforcement takedown of LockBit’s infrastructure in Q1, has rapidly scaled its operations. The group’s victim count surged 160% quarter-on-quarter to 195 reported cases, while LockBit 3.0’s operations contracted from 208 to 91 victims.
Ecosystem proliferation
The ransomware ecosystem expanded to 59 distinct operations by Q3’s end, demonstrating the increasing fragmentation of the cybercrime landscape. RansomHub’s swift rise to prominence – claiming over 290 victims across multiple sectors in 2024 – exemplifies how rapidly new threat actors can establish operational capability.
KEY FACTS
- VPN vulnerabilities accounted for 28.7% of all ransomware attacks in Q3 2024, making them the leading attack vector.
- Total ransomware incidents reached 1,257 in Q3 2024, with five major groups responsible for 40% of all attacks.
- RansomHub’s victim count increased 160% from Q2 to Q3 2024, reaching 195 reported cases, while LockBit 3.0 declined from 208 to 91 victims.
- Construction sector attacks rose 7.8% to 83 incidents in Q3, while healthcare saw a 12.8% increase to 53 reported victims.
Sector-specific targeting
Construction sector entities remained primary targets, with 83 reported compromises in Q3 – a 7.8% increase from Q2’s 77 incidents. Healthcare organisations experienced intensified targeting, with reported victims rising 12.8% from 42 to 53 quarter-on-quarter.
“As we look forward, businesses must strengthen defences with multi-layered security approaches that extend beyond MFA,” Jason notes. “Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”
