One of the more interesting trends in 2024 has been the rise of unaffiliated ransomware actors. Coveware reported a significant increase in attacks by unaffiliated actors, often referred to as “lone wolves.” These attackers operate independently of established ransomware brands like LockBit or BlackCat, making it more challenging to attribute attacks to a specific group.

This shift towards unaffiliated actors can be traced back to the collapse of major ransomware groups. As law enforcement crackdowns and infighting destabilized these groups, many ransomware affiliates chose to operate independently or under different ransomware brands. Data suggests that affiliates are moving fluidly between different ransomware groups or, in some cases, going unaffiliated altogether to avoid drawing attention to any single group.

The rise of unaffiliated attackers presents a new challenge for cybersecurity professionals. Without a clear brand attribution, it becomes more difficult to anticipate and defend against attacks. Enterprises and government agencies must focus on defending against the tactics, techniques and procedures (TTPs) of ransomware attacks, rather than simply tracking the movements of known groups.

One example of a solution is an Endpoint Detection and Response (EDR) system. EDR tools continuously monitor endpoints (computers, servers, mobile devices) for suspicious behavior, enabling rapid detection and response to ransomware or other types of malware. These tools can identify anomalies in user behavior, lateral movement across the network or unusual file access patterns, which are often signs of ransomware activity.