The findings reveal ransomware attacks reached record levels throughout 2024. New groups, new variants and the volume in which they appeared during the year highlight why ransomware is one of the most pressing cybersecurity challenges for organizations worldwide.
Key Findings for 2024:
LockBit and RansomHub dominated variants
• LockBit, one of the most prominent ransomware gangs in recent years, remained the most active ransomware variant through 2024 affecting 603 victims. May was the busiest month, with nearly 200 attacks launched, accounting for 36% of all attacks that month. This surge followed news of the gang’s disbandment after its leader was unmasked earlier in the year.
• RansomHub, a newcomer to the scene in February 2024, was in second place, affecting 586 victims, including high-profile attacks on government entities and 78 victims in the global manufacturing sector. Although these industries have been heavily targeted, this group poses a significant threat to all organizations across the spectrum, with victims ranging from SMEs to large global corporations.
• In third place, the leading players varied by category. For disclosed incidents, financially motivated group Medusa accounted for 5%, with ransom demands by the group exceeding $40M. Play ransomware attacks made up 7% of undisclosed incidents with a total of 342.
Newcomers made an impact
There was a huge increase in new variants compared with 2023, further evidence that organizations must remain vigilant and continue to adapt their cybersecurity measures. Across the year, 48 new groups emerged, a huge 65% increase from the number of new variants from the previous year.
A significant number of these - 44 new variants - were responsible for nearly a third, 32%, of all undisclosed attacks in 2024. In November and December, gangs that debuted in 2024 accounted for more than 50% of the attacks in each month.
Healthcare, Government, and Education are most targeted sectors
In terms of disclosed attacks, healthcare, government, and education accounted for 47% of all 2024’s ransomware news headlines. Healthcare saw a 20% increase over the previous year, government experienced a 15% increase, while attacks on the education sector experienced a decrease of 10%.
Rate of data exfiltration reaches all time high
Extortion continued to be the primary tactic employed in 2024, as evidenced by the alarming surge in data exfiltration which reached an unprecedented high of 94%. Data exfiltration has become a central component of ransomware, with attackers increasingly combining data encryption with data theft and threatening to publish or sell sensitive information if ransoms are not paid. The stolen data often includes personally identifiable information (PII), or intellectual property, which can be sold on the dark web.
“The report shows 2024 was a landmark year with organizations facing growing financial and reputational damage from ransomware attacks, with high-value sectors particularly pressured to pay ransoms to restore operations,” said Dr. Darren Williams, Founder and CEO of BlackFog. “As cybercriminals continuously refine their techniques to exploit vulnerabilities and launch large-scale attacks, defending against ransomware is becoming increasingly complex. Governments are stepping up efforts to counter this growing threat, introducing new measures such as mandatory ransomware incident reporting. However, the global ransomware crisis continues to escalate at an alarming rate. In this evolving threat landscape, proactive and preventative strategies to mitigate ransomware and data exfiltration have never been more crucial.”
2024 also saw significant sector rises in disclosed attacks for:
· Retail – a rise of 96% YoY
· Services – a rise of 88% YoY
· Finance – a rise of 66% YoY
· Critical Infrastructure remained a key target with 103 gas, electrical, or other energy companies attacked.
The top three sectors for undisclosed attacks were: manufacturing (17.6%), services (12.2%) and technology (9.7%).
