$460 Million Paid to Ransomware Groups in H1, 2024
Several ransomware reports have been released in the past few weeks that shed light on the extent to which ransomware is being used in cyberattacks, the profitability of the attacks, and the tactics involved. What these reports make clear is there is no sign of ransomware groups abandoning ransomware, even with significant law enforcement operations and arrests.
Almost $460 Million Paid to Ransomware Groups in H1 2024
A recent report from the blockchain analysis firm Chainalysis has revealed ransomware victims have paid $459,800,000 to ransomware groups in the first half of 2024, a 2% increase from 2023’s record-breaking ransom payment total of $449,100,000 in H1, 2023. If payments continue in the second half of 2024 at the same level, last year’s record total of $1.1 billion in ransom payments will be broken.
Chainalysis has identified a change in tactics at some ransomware groups, which appear to be targeting large organizations more frequently. Large organizations typically have more robust cybersecurity measures than smaller businesses as well as in-house security teams that can monitor their IT environments more closely and rapidly respond to intrusions. Attacks on larger organizations can be more challenging and take longer to conduct; however, ransomware groups can cause massive and costly disruption and steal large amounts of data, which means they can demand massive ransom payments.
There have already been some eye-watering ransom demands this year, including what is believed to be the largest demand yet. The Dark Angels ransomware group issued a demand for $75 million to a Fortune 50 firm earlier this year, and the BlackSuit ransomware group reportedly issued a demand of $60 million in one of its attacks. The Chainalysis report shows that the median ransom payment has increased from just under $199,000 in early 2023 to $1,500,000 in June 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Fewer Victims are Paying Ransoms
While some ransomware groups are going big game hunting and are conducting fewer attacks, there is no let up on smaller businesses as the number of active ransomware groups has increased. Combined, there has been around 10% year-over-year growth in the number of victims published on ransomware groups’ data leak sites. That ties in with a general trend of victims choosing not to pay the ransom. Chainalysis reports that its data indicate a 27.27% decline in victims paying the ransom.
Coveware’s Q2, 2024 ransomware report indicates record numbers of companies are not paying ransom demands. In Q1, 2019, 85% of victims of ransomware attacks paid the ransom to recover their data and prevent the release of stolen data, which fell to 29% in Q4, 2023 and 28% in Q1, 2024, although there was an increase to 36% in Q2, 2024. Coveware reports that data exfiltration-only attacks are proving to be profitable for ransomware groups. In Q1, 2024, 23% of data exfiltration-only attacks resulted in a ransom being paid, which increased to 43% in Q2, 2024. These attacks cause less disruption for businesses and are faster for threat actors with a lower chance of detection. Coveware reports that data exfiltration-only attacks are on the rise.
The main attack vectors commonly change, and in Q2, 2024, Coveware reports a major uptick in phishing as the initial access vector following a downward trend since Q1, 2023. Almost 25% of ransomware attacks involved phishing as the initial access vector, with remote access compromise continuing to increase and is still the main known initial access vector, used in just under 30% of attacks. In Q2, 77% of attacks involved data exfiltration.
One-fifth of Ransomware Attacks are on Healthcare Organizations
A ransomware report from Barracuda Networks based on 200 reported ransomware attacks between August 2023 and July 2024 shows that more than one-fifth of attacks (21%) were conducted on healthcare organizations, an 18% increase from the same period last year. A similar increase was seen in attacks on local government municipalities, up 17% year-over-year. Ransomware-as-a-service groups continue to conduct attacks in number, with the LockBit ransomware group the most prolific, even with the law enforcement operation that disrupted the operation in February 2024. The now-defunct ALPHV/Blackcat ransomware operation was behind 14% of attacks, and while only accounting for 8% of attacks, the Rhysida ransomware group has aggressively targeted healthcare organizations, which account for 38% of the group’s attacks.
Coveware reports a significant fall in LockBit attacks, which in Q2, 2024 only accounted for 8% of all attacks. The most active group in Q2 was Akira with 11% of attacks, with 10% attributed to lone wolves rather than ransomware groups. The Barracuda researchers also suggest that ransomware groups are increasingly prioritizing data exfiltration over encryption and as a result, dwell time has been increasing. The advantage is that security teams have longer to detect and mitigate attacks, limit data theft, and potentially avoid file encryption and the massive disruption that often causes.
Most Ransomware Attacks Occur in the Early Hours
The 2024 State of Ransomware Report from Malwarebytes has revealed that the majority of ransomware attacks are timed to catch security teams off guard, with most attacks occurring between the hours of 1 am and 5 am. Conducting attacks at these times decreases the chance of detection before their goals are achieved, as there are fewer IT staff on hand to monitor for attacks and respond. The researchers report that the time taken to prepare for file encryption has been decreasing. Whereas it used to take weeks from initial access to completed encryption, it now takes hours. Ransomware groups are also increasingly using living-off-the-land techniques which help them evade detection by traditional security tools.
