Report: 2024 saw the highest Q1 ransomware activity on record
A report from Corvus found ransomware activity increased 21% in the first quarter of 2024 from the year prior.
The first quarter of 2024 was the most active Q1 ever recorded on ransomware leak sites, a new study from Corvus found, with 1,075 victims reported. Though this is down from a peak of 1,278 victims in Q3 2023, it is a 21% increase from Q1 2023.
The industries that are most frequently targeted by ransomware groups has remained pretty steady in recent years, with 37.4% of the targets falling into the following industries:
- Information technology and services (6.4%)
- Construction (5.9%)
- Hospital and health care (4.2%)
- Machinery (4.2%)
- Law practice (3.4%)
- Automotive (2.8%)
- Retail (2.8%)
- Real estate (2.7%)
- Government administration (2.6%)
- Mechanical or industrial engineering (2.5%)
The good news is that two significant changes happened among ransomware groups in Q1 2024. The first of these occurred in February, when an international operation targeted the infrastructure of LockBit. This resulted in the confiscation of 24 servers and the immobilization of 200 crypto accounts linked to the group. Prior to this, LockBit averaged 76 new cyber victims per month on its dark web leak site. The servers hosting the leak sites were seized by law enforcement, and details of LockBit’s operation and infrastructure were posted in an attempt to cause not just infrastructural, but also reputational damage to the group.
LockBit established a new leak website just days after the seizure and resumed posting data, but around 40% of the activity on the new site was comprised of information from organizations that had already been compromised before this crack-down. Overall, LockBit’s operations have declined 49% from a year prior and 61% from two years ago.
The second change Corvus’ report addresses is the self-shutdown of the ALPHV/BlackCat ransomware group. The group managed to bounce back in January from an attempted law enforcement takedown in December 2023, which only managed to slow their operations for a bit.
However, on March 6, ALPHV/Black Cat conducted an exit scam following their large-scale attack on Change Healthcare, which affected medical practices and pharmacies across the United States. Normally, the ransomware group distributes their profits among their affiliates, with BlackCat holding onto a 20-25% share of paid ransoms. In this case, however, BlackCat’s leaders kept the entire alleged $20 million ransom and then shut down operations.
Even with the disruption of these two major actors, the data shows that fight against ransomware attacks remains dynamic, and steps should be taken to safeguard organizations from these criminals. In their report, Corvus emphasizes the need for “vigilant cybersecurity practices, particularly timely patch management and the resolution to find and patch all vulnerable assets in your environment.”