Corvus Insurance: VPN Attacks Drive Surge in Ransomware
Vulnerabilities in virtual private networks (VPNs) have become the primary vector for ransomware attacks, accounting for nearly 30% of incidents in the third quarter of 2024, according to research from Corvus Insurance.
The Boston-based insurtech firm, which provides data-driven cyber insurance products and is owned by The Travelers Companies, reports that attackers are exploiting basic security oversights in VPN implementations - systems that create encrypted connections between remote users and corporate networks.
Basic security failures
The research identifies that many breaches stem from organisations using elementary username combinations such as 'admin' or 'user', whilst failing to implement multi-factor authentication - a security process requiring users to verify their identity through multiple methods.
“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” says Jason Rebholz, Chief Information Security Officer at Corvus. “As we look forward, businesses must strengthen defences with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”
Ransomware ecosystem evolution
The report documents 1,257 ransomware attacks in Q3, maintaining similar levels to the previous quarter's 1,248 incidents. Five major cybercriminal groups – RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International – were responsible for 40% of these attacks.
RansomHub, which emerged in February 2024 following law enforcement's disruption of the LockBit operation, has become a significant threat actor. The group's victim count increased by 160% from Q2 to Q3, reaching 195 reported cases. This growth coincided with a decline in LockBit 3.0's activities, which fell from 208 to 91 victims.
The overall ransomware landscape has expanded to include 59 distinct groups by the end of Q3, highlighting the distributed nature of cyber threats. RansomHub's rapid rise to prominence demonstrates how quickly new entrants can establish themselves, with the group claiming more than 290 victims across various sectors in 2024.
- VPN vulnerabilities accounted for 28.7% of all ransomware attacks in Q3 2024, making them the leading attack vector.
- Total ransomware incidents reached 1,257 in Q3 2024, with five major groups responsible for 40% of all attacks.
- RansomHub's victim count increased 160% from Q2 to Q3 2024, reaching 195 reported cases, while LockBit 3.0 declined from 208 to 91 victims.
- Construction sector attacks rose 7.8% to 83 incidents in Q3, while healthcare saw a 12.8% increase to 53 reported victims.
Sector-specific impact
Construction firms continue to face the highest number of attacks, with 83 reported incidents in Q3 - a 7.8% increase from Q2's 77 cases. The healthcare sector experienced a 12.8% rise in attacks, with reported victims increasing from 42 to 53.
Jason Rebholz from Corvus emphasises the need for enhanced security measures: “As we look forward, businesses must strengthen defences with multi-layered security approaches that extend beyond MFA. Today, MFA is mere table stakes and must be complemented with secure access controls capable of shoring up these current and future areas of vulnerability.”
Make sure you check out the latest industry news and insights at InsurTech and be part of the conversation at our global conference series, FinTech LIVE.
Discover all our upcoming events and secure your tickets today.
InsurTech is a BizClik brand