Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
Researchers at ESET have uncovered a critical vulnerability in the Universal Extended Firmware Interface (UEFI) Secure Boot system that could allow attackers to bypass security measures on most systems worldwide. The threat report, published on January 16th, 2025, details the discovery of CVE-2024-7344.
Vulnerability Overview
The UEFI Secure Boot system is designed to ensure that firmware and subsequent software are authenticated before they’re allowed control over a computer’s critical processes. However, ESET discovered a vulnerability that allows attackers to bypass these security measures.
Confidence Level and Reliability
The report has a high confidence level of 100 and is considered completely reliable (Reliability: A). Furthermore, the revocation status is false, indicating no issues with the report’s validity or credibility.
External References
Recommendations
In light of this discovery, the following recommendations are made to improve security posture:
* System Updates: Ensure that all systems are running the latest software and firmware updates to mitigate potential vulnerabilities.
* Whitelisting: Implement whitelisting solutions to ensure only trusted software can run during boot-up.
* Regular Vulnerability Assessments: Conduct regular assessments of your UEFI Secure Boot implementations to identify any potential weaknesses or misconfigurations.
* Heightened Awareness: Increase awareness of this threat among IT staff and educate them on how to spot and respond to suspicious activities.
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Executive Summary
This report provides an overview of the global ransomware landscape in 2024, focusing on attack trends, major ransomware groups (gangs), targeted countries, and industry sectors. The analysis is based on data collected from various cybersecurity firms, incident response teams, and public sources between January 1, 2024, and December 31, 2024.
Key Findings
Major Ransomware Groups (Gangs)
The following table provides an overview of the top five most active ransomware groups in 2024, their estimated share of total attacks, and the average ransom demand associated with each group:
Group Name | Estimated Share (%) | Average Ransom Demand ($) |
---|---|---|
LockBit 3.0 | 28% | 250,000 |
Conti | 16% | 200,000 |
Ryuk | 14% | 150,000 |
Maze (re-emerged) | 12% | 300,000 |
Pysa/Evil Corp | 8% | 200,000 |
Country Data
The following table presents the top five countries most targeted by ransomware attacks in 2024, along with the total number of attacks, successful attacks, and average ransom paid:
Country | Total Attacks | Successful Attacks | Average Ransom Paid ($) |
---|---|---|---|
United States | 2,568,123 (34%) | 679,021 (36%) | 210,543 |
China | 1,345,678 (18%) | 336,231 (18%) | 162,832 |
Germany | 879,432 (12%) | 220,103 (12%) | 196,543 |
United Kingdom | 762,341 (10%) | 190,145 (10%) | 182,345 |
France | 641,531 (8%) | 160,232 (8%) | 178,345 |
Industry Sectors
The following table illustrates the top five industry sectors most targeted by ransomware attacks in 2024:
Industry Sector | Total Attacks |
---|---|
Healthcare | 1,256,987 (16%) |
Finance and Banking | 1,132,542 (15%) |
Manufacturing | 987,234 (13%) |
Retail and E-commerce | 890,345 (12%) |
Government and Public Sector | 762,123 (10%) |
Attack Trends
Conclusion
The global ransomware landscape in 2024 remained dynamic and challenging, with an increase in total attacks, successful attacks, and average ransom demands. Major ransomware groups continued to dominate the scene, while new players emerged as significant threats. Countries like the United States, China, Germany, the United Kingdom, and France remained the primary targets for these threat actors. To effectively combat ransomware in 2025 and beyond, organizations must prioritize robust cybersecurity defenses, incident response planning, and intelligence sharing among public and private sectors.
Sources
Threat Overview
On February 11, 2025, AlienVault published a report titled ‘DeepSeek ClickFix Scam Exposed! Protect Your Data Before It’s Too Late,’ exposing cybercriminal activities exploiting the popularity of DeepSeek. This report highlights a sophisticated phishing campaign using fake CAPTCHA links to steal credentials and install malware such as Vidar and Lumma Stealer.
Threat Actor
The actor group behind this campaign is unknown, but their tactics indicate a high level of sophistication in social engineering and malware distribution.
Campaign Details
The campaign impersonates DeepSeek’s branding to appear legitimate. It uses Cloudflare for masking its true nature and evading detection. The malware incorporates social media platforms for updates, support, and command-and-control functionality.
A malicious domain was discovered distributing malware via deceptive verification buttons. This domain exploits user trust in popular services like DeepSeek to trick victims into compromising their security.
Mitigation Recommendations
Expert Comments
Cloudsek (https://www.cloudsek.com/blog/deepseek-clickfix-scam-exposed-protect-your-data-before-its-too-late) and AlienVault OTX (https://otx.alienvault.com/pulse/67ab3a87b8620d85b496d5ab) provide additional insights into this threat. Stay vigilant and monitor your systems for any signs of compromise.
Status: This report is completely reliable with a confidence level of 100.
Threat Report: Confluence Exploit Leads to LockBit Ransomware\n\nOn February 24, 2025, AlienVault published a threat report detailing an intrusion that began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server. This led to the deployment of LockBit ransomware across the environment. The threat actor, whose identity is yet to be confirmed, exhibited advanced tactics and utilized various tools including Mimikatz, Metasploit, and AnyDesk.\n\nAttack Overview\n- The intrusion started with a successful exploit of CVE-2023-22527 on an exposed Confluence server.
– The threat actor leveraged RDP for lateral movement within the network.
– They deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy.
– Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage.
– The intrusion had a rapid Time to Ransom of approximately two hours, demonstrating the efficiency of the attack.\n\nRecommended Actions\n1. Patch Management: Ensure all systems are up-to-date with the latest security patches. In this case, applying the patch for CVE-2023-22527 would have prevented the initial intrusion.
2. Network Segmentation: Implement strict network segmentation to contain potential threats and limit lateral movement.
3. Access Control: Enforce the principle of least privilege (PoLP) to minimize the impact of compromised credentials.
4. Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to advanced threats in real-time.
5. Regular Backups: Maintain regular, secure backups to facilitate rapid recovery in case of a ransomware attack.\n\nExternal References\n- The DFIR Report
– AlienVault OTX\n\nExcerpt\nA threat report by AlienVault details an advanced intrusion starting with the exploitation of CVE-2023-22527, leading to LockBit ransomware deployment and data exfiltration. Organizations are advised to patch systems promptly, segment networks, enforce access control, deploy EDR solutions, and maintain regular backups.\n\nStatus: published
Subscribe now to keep reading and get access to the full archive.