Ransomware in 2024: New players, bigger payouts, and smarter tactics
In 2024, ransomware remained the top cybersecurity threat to organizations worldwide. New groups filled the void left by law enforcement crackdowns, targeting businesses with record-breaking ransom demands and sophisticated tactics.
In this article, you will find excerpts from ransomware surveys we covered in 2024 that will help your organization improve cybersecurity strategies.
VPN vulnerabilities, weak credentials fuel ransomware attacks
Following law enforcement’s takedown of LockBit in Q1, RansomHub, which emerged in February 2024, quickly filled the void, becoming one of the more prolific and dangerous cybercriminal groups. In 2024, RansomHub has claimed more than 290 victims across various sectors. In the third quarter, the construction industry remained the most impacted sector, with 83 reported victims. That’s up 7.8% from the 77 attacks reported in Q2 and was driven by ransomware groups like RansomHub, which continue to target infrastructure and related sectors.
Cybercriminals turn to pen testers to test ransomware efficiency
Threat actors are recruiting pen testers to test and improve the reliability of their ransomware for affiliate programs. In Q3 2024, Cato found that organizations who enabled TLS inspection blocked 52% more malicious traffic than organizations without TLS inspection.
MFA bypass becomes a critical security issue as ransomware tactics advance
Ransomware is seen as the biggest cybersecurity threat across every industry, with 75% of organizations affected by ransomware more than once in the past 12 months – a jump from 61% in 2023. For organizations affected by ransomware in the past year, MFA bypass via session hijacking is seen as the greatest emerging threat for ransomware, and at least 54% of devices infected with infostealer malware had an antivirus or endpoint detection and response (EDR) solution installed at the time of infection.
83% of organizations experienced at least one ransomware attack in the last year
Ransomware is an all-too-common occurrence: 83% of organizations have experienced at least one ransomware attack in the last year, 46% of respondents experienced four or more and 14% indicated they experienced 10 or more. When asked if they communicated with the threat actor executing the ransomware attack, 69% said yes. As for whether organizations are paying the ransom, respondents were split: 34% pay every time, 21% pay only some of the time, and 45% never pay.
Ransomware crisis deepens as attacks and payouts rise
During the second quarter, new ransomware groups, including PLAY, Medusa, RansomHub, INC Ransom, BlackSuit, and some additional lesser-known factions, led a series of attacks that eclipsed the first quarter of this year by 16% and the second quarter of 2023 by 8%. Based on Corvus data, the Q2 report found that the average ransomware demand reached $1,571,667.
Most ransomware attacks occur between 1 a.m. and 5 a.m.
In the past year, ThreatDown Malware Removal Specialists (MRS) have witnessed an increase in ransomware gangs attacking companies on weekends and early hours of the morning—when they know IT staff won’t be around. Most ransomware attacks now occur between 1 a.m. and 5 a.m. The US accounts for 48% of all ransomware attacks worldwide but suffers 60% of the world’s attacks on education and 71% of attacks on healthcare.
74% of ransomware victims were attacked multiple times in a year
74% of respondents that were attacked for ransom in the past 12 months were attacked multiple times, many within the span of a week. 78% of targeted organizations paid the ransom—72% paid multiple times, and 33% of those paid ransom four times or more.
Ransomware operators continue to innovate
Within the first six months of 2024, Rapid7 observed 21 new ransomware groups entering the scene. Some groups are brand new, while others are previously known groups rebranding under a new name. One of the most notable of these new groups, RansomHub, has quickly established itself as a prominent extortion group by making 181 posts to its leak site between February 10 and June 30, 2024.
Record-breaking $75 million ransom paid to cybercrime group
The findings from the report uncovered a record-breaking ransom payment of $75 million to the Dark Angels ransomware group, which is nearly double the highest publicly known ransomware payout, and an overall 18% increase in ransomware attacks year-over-year.
Cyber insurance isn’t the answer for ransom payments
Ransomware remains an ongoing threat for organizations and is the largest single cause of IT outages and downtime as 41% of data is compromised during a cyberattack. For the third year in a row, 81% of organizations surveyed paid the ransom to end an attack and recover data. One in three of these organizations that paid the ransom still could not recover even after paying.
Cybercriminals shift tactics to pressure more victims into paying ransoms
Ransomware claims frequency as a whole jumped 64% year over year, primarily due to the explosion of “indirect” ransomware claims whose frequency increased by 415%. Direct ransomware claims frequency increased by 17% in 2023. Likely driven by more businesses successfully restoring from backups in the wake of an attack, the average cost of a direct ransomware attack decreased by 24% in 2023, to $370,000.
Global ransomware crisis worsens
After a down year in 2022, ransomware and extortion incidents increased in 2023. More than 5,000 ransomware victims were detected or posted across multiple social channels, up from approximately 3,000 in 2022. Small and medium-sized enterprises face the largest challenge combatingcyberthreats. More than 50% of ransomware victims had less than 200 employees while 66% had less than 500 employees, according to the research.
Ransom recovery costs reach $2.73 million
Average ransom payment has increased 500% in the last year, according to Sophos. Organizations that paid the ransom reported an average payment of $2 million, up from $400,000 in 2023. However, ransoms are just one part of the cost. Excluding ransoms, the survey found the average cost of recovery reached $2.73 million, an increase of almost $1 million since the $1.82 million that Sophos reported in 2023.
Behavioral patterns of ransomware groups are changing
The number of active ransomware groups more than doubled year-over-year, increasing 55% from 29 distinct groups in Q1 2023 to 45 distinct groups in Q1 2024. The top three most active ransomware groups were LockBit, Blackbasta and Play.
Paying ransoms is becoming a cost of doing business for many
94% of respondents said their company would pay a ransom to recover data and restore business processes, while 5% said ‘maybe, depending on the ransom amount.’ 67% said their company would be willing to pay over $3 million to recover data and restore business processes, with 35% of respondents saying their company would be willing to pay over $5 million.