A recent Chainalysis report indicates that 2024 is set to be the highest-grossing year for ransomware payments. 2023 is the current record holder in that regard, surpassing the $1 billion dollar mark, which was an interesting development given the significant decline in ransomware payments that occurred in 2022. In the chart we have below, we can see a clear trendline indicating an increasing trend since 2019. In hindsight, it may be more useful to view 2022 as an anomaly. The mid-year total for ransomware payments this year is approximately $460 million dollars, which is an increase of about 2% from last year.
The highest ever single ransomware payment has also occurred this year. Moving up from the previous record of $40 million dollars paid out by the insurance company CNA, a $75 million dollar payment was reportedly made by a Fortune 50 company to a group called Dark Angels. This group is known to target a variety of industries like healthcare, government, technology, and telecommunications. They typically use a highly targeted approach and only attack a single organization at a time. Further, Dark Angels is listed as Zscalar’s #1 ransomware family to watch for the next year, with Lockbit, BlackCat and associated threat actors, Akira, and Black Basta rounding out the rest of the top five.
Extrapolating from data leak site information, the industries most affected by ransomware attacks appear to be manufacturing, healthcare, and construction. Attacks to the manufacturing industry were observed in approximately 16% of posts on data leak sites.
(Source: Chainalysis)
The United States has received the most attacks so far in 2024, accounting for slightly over 50% of attacks, which is estimated to be over 900. Other countries that have received significant ransomware activity so far this year include Canada, the United Kingdom, Australia, and several European like Germany and Italy.
As far as the number of leak reports is concerned, we can see in the chart below that the number of leak reports each month remain either mostly in line or have increased over the number of reports from last year. June is the exception in this case with a notable decrease in the number of reports this year. The decrease in activity on the Lockbit and 8Base leak sites may account for this change.
(Source: Palo Alto Networks)
Overall, the mid-year total for ransomware payments is a good indication that ransomware activity has held steady even though one may have expected the reported disruptions to high profile groups like Lockbit and BlackCat to have had an effect. Of course, it’s worth pointing out here that those situations have been more complex than they may seem on the surface.
Lockbit has remained active with a new data leak site and has performed several attacks since the reported takedown. With that said, Lockbit group members have also been seen in conflict with collaborators on underground forums, so at the very least their reputation has taken a hit. Similarly, Zscalar suggests that those behind the BlackCat ransomware may have migrated to other networks such as RansomwareHub. Not without their own share of controversy, the BlackCat group engaged in an exit scam against their affiliates after the FBI disruption.
There are several contributing factors to the growth of ransomware payments that we are seeing. Firstly, the number of attacks has increased. The number of attacks so far this year has grown by approximately 10% according to data leak stats.
Another contributor to the increase in total ransomware payments is the fact that the median ransom payment amount has increased drastically and has been trending upwards since at least 2021. For example, for ransomware receiving a maximum payment between $100K dollars and $1 million dollars in a given year, the median payment amount has increased 7.9 times since the start of 2023, beginning at nearly $200K dollars and sitting now at approximately $1.5 million dollars. The primary insight one can draw from this is that ransomware operators appear to be targeting larger businesses and critical infrastructure more specifically, as these kinds of targets will be more likely to pay hefty ransoms.
One interesting aspect to all of this is the fact that while the number of attack incidents has increased, the number of payment events has decreased, indicating that many victims are more prepared for such an attack and aren’t required to make ransom payments for one reason or another.
In summary, 2024 is currently on the way to being the most prolific year ever in terms of ransomware payments made, with the mid-year total of payments nearing $460 million dollars. Ransomware has had heavy activity so far in the United States and so far, this year the manufacturing industry has been targeted the most. In general, ransomware activity has been steady despite several law enforcement disruptions and various other controversies, and there are several groups like Dark Angels and Lockbit that are worth keeping an eye on.
There are a few contributing factors to the high number of ransomware payments this year to consider. The number of ransomware attacks has increased about 10%, and threat groups appear to be focusing more and more on larger organizations with more critical infrastructure with the idea that they will be more likely to make substantial payments. Thankfully, even though the number of attacks has increased, the number of actual payment incidents has decreased, indicating that many victims are more prepared than threat actors would like and aren’t necessarily forced to make payments.
[1]: https://www.chainalysis.com/blog/ransomware-2024/
[2]: https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/
[3]: https://www.zscaler.com/resources/industry-reports/threatlabz-ransomware-report.pdf
[6]: https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
[7]: https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments