March 12, 2024  — 
MSP Threats Security Team

Acronis Cyberthreats Update, March 2024

Authors:

Alexander Ivanyuk Senior Director, Technology

Irina Artioli Cyber Protection Evangelist

Candid Wüest VP of Product Management

The Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis analysts and sensors. Figures presented here were gathered in February of this year and reflect threats that we detected as well as news stories from the public domain. This report represents a global outlook and is based on more than one million unique endpoints distributed around the world.

Acronis

Incidents of the month

Recent law enforcement actions against LockBit have led to arrests, indictments, seizure of 28 LockBit servers and confiscation of over 200 cryptowallets utilized by the gang for ransom collection. Additionally, authorities have released a decryptor for LockBit 3.0.

LockBit's ransomware operation linked to over 2,000 victims and generated over $120 million in ransom payments, according to the U.S. Department of Justice. The U.S. State Department offered rewards of up to $15 million for information on the gang's members.

Despite the recent seizure of its servers by international law enforcement, the LockBit ransomware group has swiftly bounced back. Their resurgence is evident from the emergence of new encryptors and the establishment of fresh infrastructure for data leaks and negotiation sites on the dark web. In a revealing follow-up message, the LockBit group's administrator attributed the cause of these developments to potential exploitation of a PHP vulnerability.

In a parallel development, multiple ransomware gangs (Black Basta, Bl00dy ransomware) are actively exploiting numerous vulnerabilities within ScreenConnect. Specifically, on February 19, 2024, ConnectWise released a security bulletin drawing attention to critical vulnerabilities found in ScreenConnect versions 23.9.7 and earlier. These vulnerabilities enable attackers to bypass ScreenConnect authentication, granting them remote control over the host.  To counter these risks, users of ScreenConnect are strongly encouraged to update to version 23.9.8 or beyond.

February malware detections

In February, Acronis Cyber Protect blocked 1.8 million malware threats on endpoints, which is 3.3 times lower compared to January.

It’s important to stop malware early in the attack chain — for example, by blocking the malicious emails that deliver them. Nevertheless, many threats do still make it to the endpoint.

The following table shows the percentage of Acronis clients that had at least one malware threat blocked at the endpoint this month, along with the top three countries with normalized ransomware detections. This number has been hovering around 12% for the last year so far.

Acronis

February ransomware activity

The following statistics are based on data from darknet websites, where ransomware groups publish reports about their victims and release stolen files. These figures may change slightly over time, as not all ransomware groups announce their successes immediately, and some keep victims’ names private while ransom negotiations are ongoing. The below data represents claims by ransomware groups, and the top five countries by number of claimed victims.

Acronis
Acronis

Protection

The aforementioned threats can be detected and mitigated with solutions from Acronis.

Acronis Cyber Protect protects against both known and never-before-seen threats through a multilayered protection approach. This includes behavior-based detection, AI / ML-trained detections and anti-ransomware heuristics, which can detect and block encryption attempts and roll back any tampered files automatically without any user interaction. Additionally, advanced email security and URL filtering can help you protect against social engineering threats. And Acronis #CyberFit score helps you quickly identify systems that need attention, while the integrated patch management makes updating your software to the latest versions simple.

Advanced Security + Endpoint Detection and Response (EDR) for Acronis Cyber Protect Cloud brings the visibility needed to understand attacks, while simplifying the context for administrators and enabling efficient remediation of any threats.

Learn more about Acronis’ approach to cyber protection.