Ransomware in 2024: 75 groups with median demand USD $200k

An analysis conducted by Rapid7 has highlighted the increasing activity and sophistication of ransomware in 2024, with 75 active groups reported and a median ransom payment of USD $200,000.

Christiaan Beek, Senior Director of Threat Analytics at Rapid7, noted that leading ransomware groups such as RansomHub and Akira have been exploiting vulnerabilities and employing double and triple extortion tactics. The analysis reveals over 5,900 posts on leak sites, although actual incidents are thought to be higher due to unreported cases.

Beek stated, "The ransomware landscape in 2024 showed increased activity and sophistication, with 75 active groups and a median ransom payment of USD $200,000."

The report from Rapid7 emphasises the necessity for proactive security measures and international collaboration to mitigate this growing threat. It projects that ransomware damages could exceed USD $380 million this year.

Analysis of 2024 data shows that despite diverse actors, it is their capacity to adapt that stresses defending organisations the most.

Christiaan Beek further highlighted, "While these numbers reflect public disclosures, many victims choose to negotiate privately, meaning the true scope could be significantly higher."

Among the most prolific ransomware groups, the Cl0p group was noted for exploiting vulnerabilities in Cleo file transfer software.

Unlike other groups, Cl0p does not rely on encrypting victims' data but uses leak sites for extortion, leaving their financial impact within the ransomware ecosystem opaque.

Financial analyses estimate potential revenues generated by these groups, considering a median payment of USD $200,000, with approximately 32% of victims choosing to pay. This suggests total payments in 2024 could easily surpass USD $380 million.

The report also documents trends such as the proliferation of groups, persistent dominance of major players, increased transparency from victims, and the rise of multi-stage extortion tactics.

On recent law enforcement developments, a dual Russian-Israeli national was apprehended, allegedly contributing to the LockBit group's operations. "The indictments underscore intensified global cooperation," notes Rapid7, highlighting the involvement of both US and UK agencies.

These events underscore the value of cross-border partnerships in addressing ransomware threats.

Despite arrest efforts, LockBit continues to operate, underscoring the complex challenge posed by ransomware.

In response to these trends, Rapid7 advocates for strengthening resilience among organisations. Recommendations include preparing for multiple attack vectors, securing collaborations, readiness for incident response, and ongoing risk assessments.

The potential financial incentive for cybercriminals remains significant, with substantial returns even if only a fraction of victims choose to pay ransoms. This reality underlines the necessity for organisations to develop defence mechanisms like user awareness training, strong access controls, and maintaining secure backups.

The report calls for ongoing threat intelligence to monitor emerging groups and tailor defences against them.

It stresses the importance of organisations maintaining visibility over their external footprint, including regular asset scanning, real-time monitoring, and holistic patch management.

The evolving threat landscape in 2024 illustrates a continued escalation in ransomware attacks, with groups exploiting commoditised ransomware-as-a-service models. Building organisational resilience, remaining informed, and preparing a robust response plan are essential steps in countering these challenges.