Abacus Group and Medicus IT have merged. Learn more.
The ransomware and threat actor ecosystem remained highly active in the past quarter. Abacus’ incident response team responded to several high-profile incidents, gaining valuable insights to apply to our hardening and resilience recommendations. With large shifts seen even over the past three months, it is key that business leaders and technical experts alike have a clear picture of what’s changing and what they need to do to keep their business protected, regardless of industry.
The quarter began with a high volume of incidents being attributed to the threat actor group Scattered Spider. This threat actor has several key differentiators, including:
Scattered Spider typically hits companies with high-value data such as PII, complex IT infrastructure, and/or outsourced or vulnerable help desk operations, all of which are applicable to highly-regulated industries such as financial services and healthcare.
Later in the quarter, Scattered Spider activity decreased significantly, and our team saw a different threat actor rise, Akira. Akira launched a series of attacks that leveraged a critical vulnerability (CVE-2024-40766 ) within SonicWall VPN. Originally thought to be a Zero-Day, it was determined that Akira obtained access via the below process and a known vulnerability:
| Threat Actor | Point of Entry | Initial Access Method | Notable Tactics |
| Scattered Spider | People & Processes |
|
|
| Akira | Infrastructure |
|
|
Unlike Scattered Spider, Akira casts a wide net with their targets, focusing on sheer volume rather than specifically targeting larger organizations or specific verticals. This tactic resulted in our incident response team seeing a large uptick in the number of incidents for small to midsized businesses at the end of Q3, compared to enterprises being targeted at the beginning of the quarter by Scattered Spider.
The takeaway from the changes in activity within one quarter is that the ransomware threat landscape is constantly shifting. When one threat actor fades, another emerges to take its place, employing new and creative tactics that organizations must arm themselves against.
If you’re running SonicWall VPNs, our number one recommendation is simple: disable SSLVPN immediately until patched and hardened.
Beyond that, here are critical steps every company should consider:
Quick Wins
Long-Term Ransomware Protection
Our incident response team expects ransomware groups to continue focusing on widely deployed technologies, exploiting vulnerabilities in VPNs, hypervisors, and remote access tools. At the same time, phishing and credential theft will remain go-to methods for breaking in.
As we move into Q4, our team anticipates an uptick in incidents as the holiday season is consistently a peak period for cyber threats. The FBI warns the public about an increase in ransomware attacks during the holidays each year as Black Friday deals begin hitting inboxes. As the year comes to a close, employees are more likely to be working remotely and using public WiFi, clicking links in emails for holiday deals, or rushing through tasks on their way to vacation, possibly missing phishing attempts. Additionally, every team, down to the IT department, has members on PTO and is working with a reduced staff and diminished capacity.
People tend to be online more often around the holiday season, often using their work device for last minute shopping. This increased online activity provides cybercriminals more opportunities to exploit systems and network vulnerabilities.
If you want to reduce your ransomware risk, connect with our team to proactively harden your business against cyber threats.
