VPN vulnerabilities, weak credentials fuel ransomware attacks

Attackers leveraging virtual private network (VPN) vulnerabilities and weak passwords for initial access contributed to nearly 30% of ransomware attacks, according to Corvus Insurance.

VPN ransomware attacks

According to the Q3 report, many of these incidents were traced to outdated software or VPN accounts with inadequate protection. For example, common usernames such as “admin” or “user” and a lack of multi-factor authentication (MFA) made accounts vulnerable to automated brute-force attacks, where attackers exploit publicly accessible systems by testing combinations of these weak credentials, frequently achieving network access with minimal effort.

“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” said Jason Rebholz, CISO at Corvus. “As we look forward, businesses must strengthen defenses with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”

Ransomware attacks surge in Q3

Using data collected from ransomware leak sites, Corvus identified 1,248 victims in Q2, marking the highest number the company has recorded in any second quarter. This level of activity persisted in Q3, when there were 1,257 attacks.

40% of the Q3 attacks can be traced to five groups: RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International. Of these five, RansomHub was the most active in the quarter, with 195 reported victims (up 160% over Q2), while activity from LockBit 3.0 fell sharply, from 208 victims in Q2 to 91 in Q3.

While the sources behind many of these attacks were relatively consolidated, the ransomware ecosystem did grow over this period, with 59 total groups identified by the end of Q3. This increase is noteworthy since new entrants can quickly become disruptive forces.

For example, following law enforcement’s takedown of LockBit in Q1, RansomHub, which emerged in February 2024, quickly filled the void, becoming one of the more prolific and dangerous cybercriminal groups. In 2024, RansomHub has claimed more than 290 victims across various sectors.

In the third quarter, the construction industry remained the most impacted sector, with 83 reported victims. That’s up 7.8% from the 77 attacks reported in Q2 and was driven by ransomware groups like RansomHub, which continue to target infrastructure and related sectors. Healthcare organizations also experienced a significant increase, with 53 reported victims, up 12.8% from the 42 victims reported in Q2.

The IT Services sector saw a slight decline in Q3, with 49 victims compared to 54 in Q2. However, given the systemic risks associated with attacks on IT providers, in that an attack against one IT provider can impact many customer environments, this sector remains a priority for a number of ransomware groups.

Don't miss