Ransomware attacks soared in 2024, new groups emerge

ReliaQuest has released its analysis of ransomware trends for the fourth quarter of 2024, revealing a significant increase in ransomware activity and new emerging groups.

Research highlighted a 43% rise in ransomware victims between the third and fourth quarters of 2024, with a 47% increase compared to the same period in 2023. December was particularly notable, marking an all-time high in recorded ransomware victims in a single month. In this period, 13 new ransomware groups emerged, with Akira standing out by naming 71 victims in December alone, mainly through exploiting vulnerabilities in SonicOS.

Despite RansomHub maintaining its position as the largest group by victim count, ReliaQuest forecasts BlackLock will overtake RansomHub by the third quarter of 2025, given its exponential growth. "In the last quarter alone, BlackLock's victim count skyrocketed by over 1,000%," according to ReliaQuest's data.

While law enforcement actions led to a decline in LockBit's activity, with victim numbers dropping from 176 in May to just five in December 2024, the group announced a new variant, LockBit 4.0. Scattered Spider's resilience remains largely unaffected due to its decentralised structure and significant network. Despite arrests, it continues to exert influence, most notably through RansomHub.

ReliaQuest's analysis pointed out the growing ransomware ecosystem, which has expanded from around 60 active groups in 2022 to nearly 100 by 2024. The increased popularity is partly due to the rise in median ransom payments, jumping from USD $199,000 in 2023 to USD $1.5 million in 2024. Larger groups have become riskier due to global law enforcement operations, leading many cybercriminals to operate in smaller, more decentralised groups.

Aside from targeting US-based organisations, which account for nearly half of the observed attacks, ransomware groups predominantly target the manufacturing and professional services sectors. These sectors' economic importance and vulnerability to operational downtime make them attractive targets.

ReliaQuest's report included key developments such as the emergence of 13 new groups in Q4 2024, including "SafePay" and "FunkSec", which claimed 45 and 82 victims, respectively, aided by leaked source codes on cybercriminal forums.

The report suggests organisations adopt phishing-resistant multi-factor authentication, applies behavioural analytics for early detection, and limits access to VPN and firewall management controls, including regular updates to SonicWall and other VPN products.

In response to law enforcement activities, LockBit's operations were significantly disrupted, with international law enforcement seizing servers linked to the group. Nevertheless, LockBit has teased its readiness to rebound with its latest variant, LockBit 4.0.

Scattered Spider's tactics, predominantly social engineering and SIM-swapping, have been effective in orchestrating large-scale attacks. The group notably transitioned to RansomHub's double extortion attacks, shifting its operational focus following arrests associated with its earlier affiliations.

Addressing the increasing threat landscape, ReliaQuest recommends organisations implement AI-driven tools to speed up threat detection and incorporate threat intelligence resources to stay ahead of emerging ransomware threats. Its GreyMatter platform features autonomous AI capabilities aimed at reducing threat containment times.

Ransomware tactics are likely to evolve further throughout 2025, with an increased use of AI and machine learning anticipated. Organisations are advised to educate end users on recognising phishing attempts and implementing robust authentication and access controls.

In conclusion, ReliaQuest's analysis gives a detailed insight into the complex and rapidly changing ransomware landscape, highlighting the measures that can be implemented to safeguard data and mitigate risk.