Ransomware payments have touched a new milestone — with many hacker groups claiming large sums of ransom payments that were never seen before. According to a recent ransomware report, a single company recently paid a ransom of $75 million, highlighting the dramatic rise in financial demands.
This increase in ransom amounts reflects a broader trend of escalating financial demands. In 2023, total ransomware payments exceeded $1 billion, emphasizing the severe economic impact of these cyber threats.
Ransomware attacks have become more frequent and severe, with the report indicating a 17.8% increase in blocked ransomware attempts and a 57.8% rise in attacks identified through data leak sites. The manufacturing, healthcare, and technology sectors have been particularly targeted, with the manufacturing industry bearing the brunt of these attacks.
Analyzing the 2024 Ransomware Report
The sophistication of ransomware tactics has reached new heights. The ThreatLabz 2024 ransomware report observes a disturbing trend where attackers are not only targeting organizations but also their executives’ families to demand higher ransoms. This shift highlights a broader and more dangerous approach to ransomware, where no sector, whether large corporations or small to medium-sized enterprises, is immune.
Operations like “Operation Endgame” and “Operation Duck Hunt” have been pivotal in disrupting ransomware activities. Despite these efforts, prominent ransomware groups continue to evolve and evade capture, often operating with relative impunity. The resilience and adaptability of these groups pose ongoing challenges for law enforcement.
The report details several critical findings from April 2023 to April 2024. Among them is the emergence of 19 new ransomware families, bringing the total number to 391. The most active families during this period include LockBit, BlackCat (also known as ALPHV), and 8Base, with LockBit leading the pack with 22.1% of attacks.
Software and system vulnerabilities remain a primary vector for ransomware attacks, highlighting the necessity for prompt patching and robust zero-trust architecture. Additionally, voice-based social engineering has become a notable method for gaining access to corporate networks, as evidenced by groups like Scattered Spider and Qakbot.
The Impact of Major Ransomware Groups
Among the ransomware groups that have emerged recently, five stand out for their impact on organizations and governments globally. These groups—Dark Angels, LockBit, BlackCat (ALPHV), Akira, and Black Basta—have made significant headlines due to their high-profile attacks and substantial ransom demands.
Dark Angels has become a major player in the ransomware arena since its emergence in May 2022. Operating the Dunghill data leak site, Dark Angels is known for executing some of the largest ransomware attacks on record. In early 2024, ThreatLabz reported that one of Dark Angels’ victims paid a record $75 million ransom. This staggering figure underscores the group’s strategy of targeting a few high-value companies to secure substantial payouts.
LockBit, which began operations in September 2019, continues to be a dominant force in the ransomware landscape. With its extensive affiliate network, LockBit has compromised over 2,000 systems worldwide, collecting more than $120 million in ransom. Known for its high-volume attack approach, LockBit often targets smaller businesses with relatively low ransom demands. Despite a major disruption in February 2024, when the FBI and UK authorities seized parts of LockBit’s infrastructure and approximately 7,000 decryption keys, the group quickly adapted and resumed its activities. The indictment of LockBit developer Dmitry Yuryevich Khoroshev further illustrates ongoing efforts to tackle this threat.
BlackCat (ALPHV), infamous for its cross-platform capabilities, was a major ransomware threat until its shutdown in March 2024. Utilizing the Rust programming language, BlackCat targeted various operating systems. Although the group has disbanded, its affiliates are likely continuing their activities within other ransomware-as-a-service networks.
Akira, which emerged in April 2023, quickly gained notoriety for its high volume of attacks. Likely an offshoot of the now-defunct Conti group, Akira has employed ransomware code similar to Conti’s leaked source code. Despite significant law enforcement actions, such as Operation Endgame targeting the initial access broker Bumblebee, Akira remains active and is expected to persist in its operations.
Black Basta, identified in April 2022 as another successor to the Conti group, has used various methods to infiltrate corporate networks, including leveraging the initial access broker Qakbot. Despite setbacks from Operation Duck Hunt and other disruptions, Black Basta continues to innovate and execute new attacks.
Looking Ahead: 2025 Predictions
As ransomware threats evolve, several key trends are set to shape the cybersecurity industry in 2025, as highlighted in the ransomware report. Among these trend, one section that caught everyone’s attention is the rise of highly targeted attack strategies.
Groups like Dark Angels are setting a precedent by focusing on a few high-value targets for substantial ransoms, which may influence other threat actors to adopt similar approaches. Another trend is the use of voice-based social engineering by specialized initial access brokers such as Qakbot and Scattered Spider, who will likely continue to exploit this tactic to infiltrate corporate networks.
Generative AI is also expected to play a significant role in ransomware attacks, enabling threat actors to create more convincing and personalized attacks, including AI-generated voice impersonations. Additionally, increased transparency in cybersecurity is anticipated due to new SEC rules mandating stricter incident reporting, which should lead to improved practices.
High-volume data exfiltration attacks, which exploit the fear of data leaks rather than relying on encryption, are expected to rise. The healthcare sector will remain a prime target due to its valuable data, necessitating enhanced security measures. Finally, international collaboration will be crucial in disrupting global ransomware networks and combating cybercrime effectively.
