Ransomware Roundup Q1 2024

The first quarter of 2024 broke records with 192 publicly disclosed ransomware attacks, an increase of 48% over 2023. The number of undisclosed attacks also reached new heights, with a 22% increase over the previous year.

The unreported to reported ratio began to stabilize throughout the first three months of the year, with the figure for Q1 sitting at 520%. Unfortunately, this figure indicated that over 5X as many attacks go unreported. With the SEC’s incident disclose rules now in effect, we had expected this figure to be substantially lower, making it an interesting statistic to monitor closely over the coming months.

Unsurprisingly, when it came to disclosed attacks, healthcare, government and education continued to be the favorite target verticals for cybercriminals. With government and healthcare topping the ranks with 30 attacks each, an increase of 33% and 40% respectively on 2023 figures. Education saw a 3% increase from the same period of last year, recording 27 attacks.

For undisclosed attacks, manufacturing, services and technology took the brunt of the incidents, with 20%, 12% and 9% respectively.

LockBit continued to dominate as the main ransomware variant for both disclosed and undisclosed attacks. LockBit attacks account for 16% of reported and 21% of unreported attacks so far in 2024.

BlackCat claimed only 9% of reported attacks, which can be attributed to the group’s “takedown” earlier this year. Medusa also appeared strong with 4% of public attacks. It’s also worth noting that in Q1 34% of all publicly disclosed attacks were unclaimed. Black Basta and 8Base made waves in undisclosed attacks, both accounting for 7% of the 1000 attacks recorded.

In the first three months of 2024 we have seen twelve new ransomware variants emerge, including Ransomhub who since February were responsible for 30 attacks across a range of different verticals. This worrying trend spells trouble for the ransomware landscape – with more gangs emerging, the number of attacks will inevitably increase.  Keep an eye on new ransomware gangs with our ongoing blog.

The geography of both disclosed and undisclosed remained consistent, with victims from the USA suffering over 50% of attacks in both categories. Canada and European countries such as Germany, France and Italy were also among the regions who were hit badly by ransomware in Q1.

We recorded an increase in the number of disclosed attacks involving data exfiltration, rising to 92%. This figure has continued to rise, albeit minimally, over the past 2 years, highlighting the move from traditional encryption-based ransomware to the use of data exfiltration for extortion purposes.

According to our undisclosed insights, the average amount of data exfiltrated during an attack is 589GB. The volume of data stolen in attacks ranged from 1.2GB to around 7TB. Threat actors responsible for these undisclosed attacks all claimed to have exfiltrated some volume of data but with these attacks being unverified, it is not known if these claims are true until the data has been leaked.

With record-breaking numbers of attacks being recorded each month, in both reported and unreported categories, it is clear that ransomware is not on the decline and remains a top threat for organizations globally.

Data exfiltration continues to rise, with 92% of attacks involving the theft of data which has significant consequences for victims, with some still experiencing the fall out months after the initial attack.

Cybercriminals are evolving and breaking through traditional defenses with sophisticated attacks. To prevent attacks and avoid being the next victim of ransomware and extortion, organizations must look to newer technologies such as anti data exfiltration (ADX) which has been designed to stop attacks in real-time, 24/7 without the need for human intervention.

At BlackFog, we have been recording ransomware data since 2020. We believe these figures help us to gain a better understanding of the ransomware landscape, highlighting trends and providing insights into how cybercriminals are evolving to break down cybersecurity defenses.