Attackers leveraging vulnerabilities in Virtual Private Networks (VPNs) and exploiting weak passwords accounted for 28.7% of ransomware incidents in Q3 2024, according to Corvus Insurance’s latest Cyber Threat Report.

Common credentials like “admin” and a lack of multi-factor authentication (MFA) left VPN systems vulnerable to automated brute-force attacks, highlighting the need for improved basic cyber hygiene.

“Attackers are exploiting the easiest entry points, and VPNs were the favored method this quarter,” said Jason Rebholz, Chief Information Security Officer at Corvus.

“As we look forward, businesses must strengthen defenses with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability,” he continued.

The Changing Ransomware Landscape

Using ransomware leak sites, Corvus documented 1,248 victims in Q2, setting a record for the company’s highest second-quarter total. This elevated level of activity changed little in Q3, with Corvus documenting 1,257 attacks.

Just five groups launched nearly 40% of Q3 incidents: RansomHub, PLAY, LockBit 3.0, MEOW, and Hunters International. RansomHub – a relatively new player that emerged in February 2024 – was the most active of these groups, boasting 195 victims in Q3, a 160% increase from the previous quarter.

Despite many attacks being attributed to a small number of groups, the ransomware ecosystem expanded in Q3. By the end of the quarter, Corvus documented 59 active groups, suggesting the ransomware gang market is more competitive than ever.

Construction in the Crosshairs

The construction industry was the most targeted sector in Q3 2024, the same as last quarter. Corvus documented 83 reported victims in this sector, up 7.8% from the 77 attacks reported in Q2. This highlights ransomware gangs’ increasing focus on critical infrastructure.

The healthcare sector also experienced an increase in attacks. The number of reported victims rose from 42 in Q2 to 53 in Q3, largely due to attackers exploiting legacy systems and the criticality of healthcare data.

The Importance of VPN Security

According to Corvus, poor VPN security contributed to many of these attacks. The cyber insurance company revealed that 75% of policyholders either lacked comprehensive MFA or failed to deploy it effectively, exposing their systems.

As such, Corvus has urged organizations to adopt secure access controls and ensure robust configurations for remote access systems.