LockBit‘s empire crumbles in the great ransomware reshuffle of 2024


While others can only guess what the latest ransomware trends are, Cybernews knows the full picture. Our research team took a deep dive into what our Ransomlooker tool said about key ransomware trends in 2024.

Despite tech and infosec enthusiasts refocusing their attention on big promises of artificial intelligence, some inconvenient patterns remain unchanged. For one, another year, this time 2024, marked another surge in ransomware attacks.

With the help of Ransomlooker, Cybernews’ tool for monitoring ransomware trends, researchers tracked and analyzed incidents involving ransomware, shedding light on trends and the impact on businesses across various sectors.

ADVERTISEMENT

According to Ransomlooker’s data, nearly 5,300 ransomware victims were reported last year, a whopping 26% increase from the previous year. Ransomware operators continue to prove their uncanny versatility, even though 2024 was marked by significant and far-reaching attempts from law enforcement to curb attacker activity.

Ernestas Naprys Gintaras Radauskas Paulina Okunyte Konstancija Gasaityte profile
Be the first to know and get our latest stories on Google News

Ransomlooker’s top attackers

Interestingly, LockBit, pronounced dead after the highly publicized operation Cronos in early 2024, still secured the top spot among cybercrooks. This made it the gang’s third consecutive year on the throne.

Worth noting, however, that LockBit’s position severely weakened last year as the number of the gangs’ victims fell to around 530, a 50% decrease. Given the whole ransomware scene widened by a quarter, the gang’s actual fall is even more spectacular.

It’s highly likely that LockBit will be dethroned next year, and there’s a clear candidate aiming for the kill – RansomHub. Emerging in 2024, the gang sprinted straight to the top, victimizing nearly 500 organizations and showing a startling ability to scale operations apace.

Meanwhile, the Play ransomware gang has entrenched itself in third place, holding the title for a second year in a row with nearly 350 victims. The gang focused its efforts on targeting sectors like manufacturing/industrial, real estate/construction, and technology.

At the same time, LockBit mostly targeted manufacturing/industrial, technology, and retail industries, while RansomHub put the most effort into victimizing real estate/construction, manufacturing/industrial, and retail sectors.

ADVERTISEMENT
Top countries

Hot hacker summer

Ransomlooker helped to spot a worrying trend last year: the proliferation of new ransomware gangs. According to the team, the number of active ransomware gangs almost reached 89, a significant hike from 67 in the previous year.

“Among the tsunami of newcomers, 43 were newly formed or rebranded groups, highlighting the dynamic and decentralized nature of the ransomware ecosystem. Newbies alone accounted for more than one-third of all claimed victims in 2024, illustrating their aggressive start,” researchers said.

Apart from RansomHub, two other groups strongly entered the fray: KillSec and Funksec, with 136 and 91 victims, respectively. New and, unfortunately, successful entries point to the challenges of reducing ransomware activity – the barriers for entry remain low and the decentralized model of operation allows new groups to fill the void left by dismantled ones.

Rebranded

Another interesting trend the team noticed was the seasonal pattern of ransomware group activity. For example, spring and autumn were the most active periods for malicious actors, with nearly 1,600 victimized organizations in fall and another 1,500 in spring.

“The trend suggests that ransomware gangs might strategically target these periods when businesses are fully operational. Summer, on the other hand, was the least active season in 2024 with 1088 victims, marking a shift from historical patterns observed in previous years,” the team said.

Another contributing factor could be the geographic location of ransomware operators. Many gangs directly operate from or have links with Russia, where seasonal changes often impact labor activity. Summer is the time for holidays, a perfect opportunity for ransomware operators to spend their ill-gotten gains.

Victims by month
ADVERTISEMENT

Top industries under attack

According to Ransomlooker data, last year cybercrooks abstained from innovations target-wise. The top three sectors under siege closely mirrored trends we saw in 2023, with manufacturing and industry sectors bearing the brunt of attackers’ punches.

Ransomware gangs victimized over 300 sector companies, an unsurprising outcome given how sensitive manufacturing is to downtime, making them profitable targets for extortion. In some cases, legal penalties for not meeting client demands can exceed ransom demands.

With 150 victims, businesses in the technology sector were the second most targeted. The team surmised these types of companies attract malicious actors due to their reliance on the continuity of seamless global operations. Similarly, real estate ranked third, showcasing attackers' love to aim for organizations with interconnected systems and valuable data.

“Healthcare services also remained a key target, raising concerns about the security of critical infrastructure. This is particularly alarming, as each year brings more reports emphasizing that ransomware attacks on healthcare institutions can lead to severe consequences, including the loss of patient lives,” the team said.

Billions of dollars at stake

While major global corporations are best positioned to have the best cybersecurity tools, they’re also the top priority for ransomware cartels. Attackers often calculate ransomware demands as a percentage of a victim’s annual revenue, using downtime to measure an attack's impact.

With that in mind, it’s no wonder that the combined revenue of the top 10 targeted companies exceeds $520 billion. In 2024, just 1% of revenue from 10 companies could amount to $5.2 billion in ransom.

Targeted revenue

Some notable victims include Volkswagen Group, a global automotive leader with $356 billion in revenue; energy giant Oman Oil, with revenues of nearly $40 billion; and Marfrig, a major food industry player with reported revenue of $27 billion.

ADVERTISEMENT

Unfortunately, it’s not only business that attracts attackers. Ransomware gangs don’t shy away from data-rich government institutions either, as illustrated by a crippling attack on the District of Columbia.

“Protecting these systems is critical because they often manage essential public services, sensitive data, and national security operations, making them prime targets for attacks that can disrupt entire communities,” researchers explained.

America’s onslaught

Another constant in the ransomware landscape is its geography. As was true last year, the United States holds the unfortunate crown as the most targeted country in the world. Ransomlooker data shows that over 1,700 organizations were victimized in the States, far surpassing others.

For example, the second and third-place holders, Canada and the UK, had more than ten times fewer victims. The only silver lining is that unwanted attention from ransomware cartels is likely a sign that advanced digital infrastructure and high-value targets are abundant in these countries.

Top gangs

India, the fourth-place holder, should take note of that. The world’s largest democracy was absent from the top targeted country list from 2021 through 2023 but emerged as the hottest target in 2024.

Other countries such as Italy, Germany, France, and Spain also experienced steady ransomware activity, illustrating how attackers focus on nations with strong economies and extensive digital reliance.

“It’s clear that ransomware is a global phenomenon that is not going away any time soon. The global spread of attacks underscores the critical need for enhanced cybersecurity measures across borders,” researchers concluded.

ADVERTISEMENT