Ransomware Groups Claim 13% More Healthcare Victims in 2024
International law enforcement operations against the prolific ransomware-as-a-service (RaaS) groups LockBit and ALPHV/BlackCat resulted in infrastructure seizures and caused significant disruption to their operations; however, the threat from ransomware continues largely unabated. While law enforcement agencies deny any involvement in the shutdown of the ALPHV/BlackCat group, its disappearance and the ongoing disruption caused to the LockBit group by Operation Cronos in early 2024 has left a gap that other ransomware groups have expanded to fill. Past affiliates of those groups have jumped ship, joining other ransomware groups such as RansomHub, which increased its attacks last year to take the top spot as the most prolific ransomware group.
The difficulty in taking down RaaS groups has been highlighted in the annual Ransomware and Cyber Threat Report from GuidePoint Security’s Research and Intelligence Team (GRIT). As the researchers explained, despite these largely successful law enforcement operations, ransomware attacks continue to be conducted in large numbers. It is possible to take action against RaaS groups and force a shutdown of their operations, but the affiliates simply move on and continue to conduct attacks with a different group. That said, law enforcement operations have contributed to a reduction in the rate of increase of attacks, which slowed to 8.72% growth for the year, compared to the massive 76.8% growth from 2022 to 2023. In 2024, an average of 13.2 new victims were posted to ransomware groups’ data leak sites per day, and over the course of the year, 4,848 new victims were added to data leak sites.
The GRIT researchers observed a decrease in ransomware attacks in Q2 and Q3, 2024, in part due to the law enforcement operations on ALPHV/BlackCat in late 2023 and LockBit in early 2024; however, the reduction in attacks was made up for in Q4, 2024 when there was a sharp increase in posts on ransomware groups’ data leak sites, with record-breaking numbers of victims were added. More than 1,600 new victims were added to the data leak sites in Q4 alone.
RansomHub filled the void left by ALPHV/BlackCat by increasing the tempo of its attacks and other ransomware groups such as Akira, Play, and others also picked up the pace, which is suspected to be due to the recruitment of experienced affiliates from ALPHV and LockBit. It was not just the well-established groups that benefitted from the shutdown of ALPHV/BlackCat and the exodus of affiliates from LockBit. The GRIT researchers report a 42% year-over-year increase in the number of active ransomware groups, rising from 62 in 2023 to 88 in 2024, including 40 previously unobserved ransomware groups that emerged last year.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In 2024, 52% of ransomware victims were from the United States. Manufacturing was the most targeted sector, followed by technology and retail/wholesale, with healthcare the fourth most targeted sector with more than 300 confirmed attacks in 2024, a 13% year-over-year increase. Given the 8.72% year-over-year growth in attacks, it is clear that some groups are actively targeting healthcare organizations – RansomHub, LockBit, and BianLian, according to GRIT, with Play not known to have conducted any healthcare ransomware attacks last year.
Healthcare tends to be targeted more by established ransomware groups, and was the second most targeted sector for these groups, but was the most targeted sector for what GRIT classes as ephemeral groups, which are short-lived groups that emerge, conduct a series of attacks, then disappear and rebrand within 3 months. This is largely due to the increased law enforcement activity that tends to come with attacks on healthcare providers,
Network defenders are having to defend against a diverse range of initial access vectors, although stolen credentials and the exploitation of vulnerabilities remain the most common methods for initial compromise. In the case of the latter, network defenders had a heavy workload last year with 110 new CVEs published on average each day, 44% of which were rated as highly severity or critical. While newer vulnerabilities are exploited by some groups, RaaS groups tend to target older vulnerabilities.
While the outlook for 2025 looks likely to be continued attacks in high numbers, the rate of increase in attacks at least appears to have slowed, and law enforcement operations are having some effect, although progress is painfully slow.
