Ransomware continues to be a threat in 2024, with recent reports about its persistence, profitability, and evolving tactics. Despite efforts by law enforcement to combat these cyberattacks, ransomware groups show no signs of retreating. A report by blockchain analysis firm Chainalysis reveals that in the first half of 2024, ransomware victims paid nearly $460 million to ransomware groups, marking a 2% increase from the previous year’s record-breaking figure of $449 million. If this trend continues, the total ransom payments for 2024 could surpass the 2023 record of $1.1 billion.
The report mentioned a shift in ransomware tactics, with some groups increasingly targeting large organizations. These organizations, though typically equipped with stronger cybersecurity measures, present attractive targets due to the potential for massive disruption and data theft, which can justify larger ransom demands. This year has seen some of the highest ransom demands, including a $75 million demand by the Dark Angels ransomware group and a $60 million demand by the BlackSuit group. The median ransom payment in June 2024 is $1.5 million, it was below $199,000 in the beginning of 2023.
Despite the increase in ransom demands, fewer victims are paying. Chainalysis reports a 27% decrease in ransom payments, with Coveware’s Q2 2024 report indicating that companies are refusing to pay. In Q1 of 2019, 85% of ransomware victims paid the ransom; by Q4 of 2023, this had dropped to 29% and remained low at 28% in Q1 of 2024. Although there was a slight increase to 36% in Q2 of 2024, the overall trend suggests a growing resistance among victims to comply with ransom demands. Data exfiltration-only attacks, which involve stealing data without encrypting it, are proving profitable. In Q1 2024, 23% of these attacks led to ransom payments, and this figure rose to 43% in Q2 2024. These attacks are less disruptive and quicker to execute, with a lower risk of detection, leading to a rise in their frequency.
The methods that ransomware groups use to gain initial access to systems are also evolving. Coveware reports an increase in phishing attacks in Q2 of 2024, reversing a downward trend that began in Q1 of 2023. Phishing was the initial access vector in nearly 25% of ransomware attacks, while remote access compromise remained the leading method, used in under 30% of attacks. 77% of ransomware attacks in Q2 involved data exfiltration, underscoring the shift in tactics toward data theft over encryption.
A ransomware report from Barracuda Networks covering the period from August 2023 to July 2024 indicates that healthcare organizations are increasingly being targeted, with 21% of attacks directed at this sector, marking an 18% increase from the previous year. Attacks on local government municipalities rose by 17% year-over-year. Ransomware-as-a-service (RaaS) groups remain active, with LockBit being the most prolific despite a law enforcement operation that disrupted their activities in February 2024. The now-inoperative ALPHV/Blackcat operation was behind 14% of attacks, and the Rhysida group, although accounting for only 8% of attacks overall, targeted healthcare organizations in 38% of its operations. Coveware reports a decline in LockBit’s activity, which only accounted for 8% of attacks in Q2 of 2024. The most active group during this period was Akira, responsible for 11% of attacks. The Barracuda report also suggests that ransomware groups are conducting data exfiltration more compared to encryption, resulting in longer dwell times or the period an attacker remains undetected in a network. While this gives security teams more time to detect and mitigate attacks, it also indicates a strategic shift by attackers to maximize data theft while minimizing disruption.
The 2024 State of Ransomware Report from Malwarebytes reveals that most ransomware attacks occur between 1 am and 5 am, a period when IT staff are less likely to be monitoring systems, reducing the chances of detection. The time required to prepare for file encryption has decreased, with attacks that once took weeks now being executed within hours. Ransomware groups also implement techniques that use legitimate tools and processes within the victim’s environment to evade detection.
Overall, these reports paint a picture of the current state of ransomware groups — adapting their strategies to maintain profitability and evade detection, despite growing resistance from victims. Healthcare organizations need to consider this information as they plan to comply with HIPAA training requirements.