A surge in ransomware teams in 2024 left corporations going through elevated assaults, whilst legislation enforcement ramped up investigations towards well-known teams similar to LockBit, and dismantled well-liked cybercriminal providers, similar to phishing-as-a-service supplier LabHost and the encrypted messaging platform Ghost.
A pair of latest research outlines the state of play. Total, greater than 75 ransomware teams have been actively compromising targets in 2024, in comparison with solely 43 the prior 12 months, in accordance with a latest Rapid7 evaluation. Because of this, greater than half of organizations suffered a profitable assault, and nearly all of these impacted shut down some operations resulting in important income loss, in accordance with a big survey of IT and cybersecurity practitioners performed by the Ponemon Institute.
So long as extortion continues to be worthwhile, organizations should deal with important threats, says Trevor Dearing, director of important infrastructure options at Illumio, a zero-trust safety agency and sponsor of the Ponemon report.
“When a few of these gangs have been taken down, there was a dip in activity, but they get very quickly replaced, and that’s the challenge,” he says. “It’s a battle that is is worth fighting and it does slow them down, but this is only part of the response we have to have.”
The tempo of compromises seems to be solely accelerating, with about 15% extra ransomware assaults in 2024, in comparison with the earlier 12 months, in accordance with knowledge collected by each NCC Group and Rapid7. Their tallies differed barely, however trended in the identical course. And final month, the variety of profitable assaults claimed by ransomware teams averaged 18 per day, up from lower than 15 in December, in accordance with Rapid7’s knowledge.
RansomHub, LockBit, and Play have been essentially the most prolific ransomware teams in 2024, as measured by the variety of breach posts. Supply: Writer primarily based on Rapid7 knowledge
Total, cybercriminals compromised practically 6,000 victims, posting their info to public data-leak websites, with well-known ransomware teams — similar to RansomHub, LockBit, and Play — making tens of thousands and thousands of {dollars} every in ransom funds from victims, whilst fewer victims paid decrease common ransoms, the corporate discovered.
Laying Down the Legislation on Cybercrime
The ransomware good points got here regardless of elevated legislation enforcement exercise. In September, European legislation enforcement disrupted the Ghost encrypted communications platform utilized by organized crime teams. In November, Canadian authorities arrested the hacker behind the compromise of 165 companies’ Snowflake cases, who had demanded ransoms starting from $300,000 to $5 million. And, in December, Israeli legislation enforcement arrested a 51-year-old LockBit developer in Israel.
Whereas legislation enforcement efforts are having an impression on cybercriminal operations, their efforts seem like fracturing the ecosystem, as extra teams and a larger variety of suppliers supply cybercriminal providers, says Christiaan Beek, senior director of menace analytics for Rapid7.
“Law enforcement is really fighting hard to take on the biggest groups [that are causing businesses] a lot of problems, and we highly applaud those initiatives,” he says. “But the money is really attracting people, and especially if you are in certain countries where you’re hard to catch or protected by the government … then [becoming a ransomware operator] almost feels like a safe option.”
Paying Ransoms Is No Assure of Cyber Security
Estimates of the ransom quantities paid by corporations assorted considerably, with ransomware specialist Coveware estimating that the victims paid a median of $200,000 in Q3 2024, whereas a survey of greater than 2,500 corporations performed by the Ponemon Institute estimated the common ransom demanded to be $1.2 million.
And people figures don’t embody investigation and clear up prices, Illumio’s Dearing says.
“There was almost a doubling in the [share of companies] that lost significant revenue, and that reflects something that we’re seeing across the board — both from financially motivated ransomware attackers, nation-states, or hacktivists — they are just trying to disrupt things,” he says, including, “Organizations need to think a lot more about incident response, about containing attacks, about trying to make sure that they actually stay in business if there’s an attack.”
The survey additionally discovered that paying a ransom not often solves the issue of misplaced knowledge nor ends the focusing on by attackers. Half of all corporations (51%) suffered a ransomware assault in 2024, however lower than half obtained a decryption key, and the attacker demanded extra money in a 3rd of circumstances. In the long run, solely 13% of corporations ultimately recovered all of their knowledge, in accordance the Ponemon Institute report.
Plan for Alternate Operations for Enterprise Continuity
Early detection and a plan to proceed operations within the face of disruption matter most in terms of minimizing the impression of a cyberattack. Of the businesses that didn’t pay a ransom, practically half had backups from which they may get better knowledge, whereas the same quantity deemed the information not vital sufficient to pay the ransom.
In one of the best case situation, corporations can shortly transfer to cloud operations — or one other plan for enterprise continuity — giving them one of the best likelihood of recovering with out drastic impacts, Rapid7’s Beek says.
“We saw one company flip the switch, and suddenly the whole business was running on cloud resources while they were restoring the day-to-day operations,” he says. “So the ransomware incident hardly impacted the business.”
Corporations which have a scarcity of visibility into — and a scarcity of safety controls defending — their networks face essentially the most damaging disruption, says Illumio’s Dearing.
“Things that allow lateral movement within organizations — like unpatched systems and weak passwords and open RDP ports — help attackers,” he says. “So there’s an amount of basics that companies need to take.”
