Ransomware attacks have become a pervasive and evolving threat in the cybersecurity landscape, impacting organizations of all sizes across various sectors.
We at Safety Detectives believe that understanding the latest trends in ransomware attacks is essential for organizations to bolster their defenses and protect themselves against potential threats as cybercriminals continue to refine their tactics.
In this article, we explore research findings on ransomware attack trends and uncover the true costs incurred by victims, shedding light on the financial, operational, and reputational implications of falling prey to such schemes.
By examining current data, we aim to provide valuable perspectives on mitigating risks associated with ransomware attacks and enhancing overall cybersecurity resilience in today’s digital environment.
Key Takeaways
- The average cost of ransomware attacks has escalated to $2.73 million in 2024, which represents an increase of nearly $1 million (50%) in a year.
- Half of all the ransomware attacks conducted in 2023 happened in the United States.
- Hackers earned roughly $1.1 billion from crypto-related ransomware attacks in 2023, setting a new record.
- Up to 94% of the organizations that experienced a ransomware attack in 2023 said that the hackers attempted to compromise their backups during the attack.
- LockBit was accountable for around 25% of all ransomware attacks in 2023, with 1,047 victims that year alone.
- Double extortion ransomware surged in 2023, with a 72% increase from the first to the second quarter.
- The central government sector has the highest ransomware attack rate as of 2024, with up to 68% of surveyed central government organizations from around the globe reporting they had experienced an attack.
What Is Ransomware
Ransomware is a type of malicious software that steals and encrypts the victim’s sensitive data until a ransom is paid. Ransomware is usually designed to spread itself across a network to infect as many devices as possible until all devices in the network (usually an entire organization or household) is left paralyzed. The only way for them to regain access to their data is to pay a large sum of money to the hackers behind the attack.
The History of Ransomware
The AIDS Trojan, also known as PC Cyborg, was created by Dr. Joseph Popp in 1989. It is considered the first-ever ransomware virus released via floppy disk. Popp sent 20,000 infected disks to attendees of the World Health Organization’s international AIDS conference in Stockholm.
The virus activated after the 90th reboot, encrypting files on the system’s hard drive. To regain access, the user had to send $189, which amounts to around $478 today, to PC Cyborg Corp. at a post office box in Panama. Fortunately, none of the conference attendees paid the AIDS Trojan ransom.
The next wave of ransomware attacks didn’t occur until the mid-2000s.
The GPcode ransomware, which emerged in 2005, attacked Windows operating systems and encrypted documents with specific file extensions. The Archiveus Trojan, the first ransomware to use RSA, emerged in 2006 and encrypted everything in the My Documents directory, also on Windows.
The early 2010s saw the rise of cryptocurrency, and due to its pseudonymous nature, Bitcoin became the preferred payment method for ransomware demands.
In 2013, CryptoLocker emerged, marking a significant shift by using strong encryption algorithms and demanding payments in Bitcoin. This set a new standard for ransomware operations, which are some of the biggest cybersecurity threats for firms and organizations today.
Ransomware Delivery: How Your System Gets Infected
Hackers are getting more creative and sophisticated in their attempt to infect your system with malware and encrypt your data. Here are the most common ways ransomware is delivered and deployed.
Email Phishing
Phishing is the most common entry point for ransomware. According to Cisco, it accounts for up to 90% of all cyber attacks in general. Email phishing occurs when cybercriminals send out emails that appear legitimate, often impersonating trusted entities like banks, shipping companies, or government agencies.
These emails usually contain enticing subject lines, urgent requests, or alarming messages designed to grab the recipient’s attention and prompt immediate action. The main goal is to get the user to follow a link to a fake website or download an infected file that will prompt the ransomware attack. To this end, sophisticated attackers even send personalized emails.
According to Veeam’s Data Protection Trends Report 2024, 26% of organizations have experienced a surge in the number of email threats, and 88% of them involved ransomware.
Compromised Websites and Drive-By Downloads
Compromised websites may look like legitimate websites, but they host malicious content. When individuals visit a compromised site, they may unknowingly trigger a drive-by-download attack, which automatically downloads and executes ransomware on their devices.
Generally speaking, drive-by download attacks can be active or passive. In the former, hackers create a malicious duplicate of a legitimate website and trick users into downloading malware. Passive attacks, on the other hand, occur when hackers exploit browser vulnerabilities to infect the user’s device without their knowledge — no interaction is needed other than visiting the malicious website.
Remote Desktop Protocol (RDP) Attacks
Cybercriminals can exploit weak credentials to gain entry into a system. They use automated tools that scan for exposed RDP ports and attempt to force their way in, trying out various username-password combinations until they find a match.
Attackers often use login credentials exposed in data breaches to conduct credential-stuffing attacks against RDP services. All in all, RDP abuse is so common that it was found in 90% of ransomware cases reported to Sophos Incident Response in 2023.
Social Engineering
Social engineering is a manipulative tactic that cybercriminals use to trick users into inadvertently downloading and activating ransomware on their devices.
Attackers may send fraudulent emails posing as legitimate entities, such as banks, well-known companies, or other trusted organizations. They may also create fake websites that imitate authentic platforms like banking sites or online services.
Cybercriminals manipulate users into taking actions that lead to ransomware infections by leveraging psychological tactics and exploiting human emotions like fear, curiosity, urgency, or trust.
Understanding Ransomware: Stats Review
In this section, we analyze the latest statistics surrounding ransomware attacks, shedding light on their frequency, impact, and evolving trends in cybersecurity.
Typical Cost of Ransomware Attacks
The cost of ransomware attacks, as well as the extent of the damage caused, can vary widely depending on the organization targeted. However, the sums hackers demand have steadily increased over the years, with seven-figure ransoms slowly becoming the norm.
Data from cryptocurrency-tracing firm Chainalysis also confirms that the cost of ransomware attacks is increasing. Collectively, hackers earned roughly $1.1 billion from crypto-related ransomware attacks in 2023, setting a new record.
The second biggest year for crypto-related ransomware attacks (so far) was 2021, in which Chainalysis calculates that attackers extorted $983 million from victims. Interestingly, the year after, that number dropped to $567 million.
In its Crypto Crime Report, Chainalysis refers to the reduction in ransomware incidents in 2022 as an anomaly rather than a trend. The Russian-Ukrainian conflict is listed as one reason for the drop, as cybercriminals focused more on politically motivated attacks than financial gain.
Another significant factor for the decrease in ransomware activity in 2022 is the FBI’s takedown of the Hive ransomware group. The FBI infiltrated Hive’s computer network and captured its decryption keys, preventing victims from paying over $130 million in ransom.
However, the relative lull in ransomware activity didn’t last long; by 2023, the number of ransomware attacks had increased significantly. Perhaps the most infamous ransomware incident of the year is Clop’s attack on MOVEit Transfer, a managed file transfer software. The Clop gang used a zero-day vulnerability in the software to steal sensitive user data, earning over $100 million in ransom payments.
Rate of Ransomware Attacks
Ransomware attacks were at an all-time high in 2023. According to CyberInt’s Ransomware Report, there were 5,070 total victims worldwide, an 80% rise compared to 2022, when 2,809 ransomware attacks were recorded. In fact, there were more victims in the second and third quarters of 2023 alone than in the entirety of 2022.
Talking specifically about the US, the Internet Crime Complaint Center (IC3) received 2,825 ransomware complaints in 2023, which is only a slight increase compared to the previous year (2,385 incidents). However, the sum of money lost to ransomware nearly doubled in that same period, going from $34.3 million in 2022 to $59.6 million in 2023.
Encouragingly, 2024 has seen a decrease in attacks worldwide so far. According to CyberInt’s report for 2024, 1,048 cases were recorded in the first quarter of 2024, a 20% decrease compared to the previous quarter (Q4 2023).
In February 2024, law enforcement from 11 countries exploited a PHP vulnerability and took control of the cybercriminal group LockBit’s primary platform and other critical infrastructure. This could be a factor behind the decline in attacks since LockBit provides ransomware as a service, and according to some estimates, it was responsible for 44% of global attacks in 2023.
Operation Cronos, led by the UK’s National Crime Agency’s Cyber Division, took nearly two years to implement. By the end of the operation, 200 cryptocurrency accounts had been frozen, 34 servers had been taken down, 14,000 rogue accounts had been closed, and 2 individuals had been arrested. Alas, LockBit persists even after such disruption.
Most Targeted Countries
According to Cyberint’s Ransomware Recap report, the United States was the country most impacted by ransomware attacks in 2023, accounting for 2,175 or 48.8% of all reported cases. The United Kingdom, Canada, Germany, and France follow behind, making up the top 5 countries most targeted by criminals.
The list is basically the same as the year before, except that India has entered the top 10 countries most targeted by hackers, taking Russia’s spot. This could be attributed to the relative decrease in cyber warfare between Russia and Ukraine in 2023 compared to the previous year.
The number of ransomware attacks per country often varies depending on the source, which may affect the country’s position in the ranking. A reason for this is no one can know exactly how many ransomware attacks happened in every country, so all data is based on expert estimations.
Ultimately, though, the top 10 countries affected by ransomware remain largely the same, with high-income Western countries often being the primary targets of ransomware groups.
Most Targeted Industries
Ransomware attacks can target organizations across various sectors, though some are more frequently affected due to the potential for disruption or significant financial gain. Here are the companies and institutions that suffer the most from ransomware attacks.
By Size
Data on the size of organizations targeted by ransomware groups suggests that businesses of all sizes are at risk of ransomware attacks.
For instance, Trend Micro found that, in the second half of 2023, smaller organizations were hit the hardest by popular ransomware groups. Up to 61.8% of LockBit’s 518 total victims were small businesses, with medium-sized and large companies accounting for 19.9% and 6.2% of cases, respectively. Similarly, 62.3% of the Clop and 50.7% of BlackCat victims were also small businesses.
But it’s not only these big cybercriminal gangs who find smaller organizations to be an attractive target. In a relatively new phenomenon, a Sophos X-Ops study found multiple examples of inexpensive, crude ransomware sold as a one-time purchase on dark web forums. From June 2023 to February 2024, 19 of these ransomware variants were sold on 4 different forums, presumably to lower-skilled threat actors.
Small and mid-sized businesses are attractive targets for cybercriminals because they usually don’t have the resources to defend themselves, so there’s no need for an elaborate attack. Those are usually reserved for big enterprises — which can also be quite attractive targets.
Sophos’ annual “State of Ransomware 2024” survey report, which included 5,000 respondents from 14 different countries, found that companies with $5B+ revenue account for up to 67% of the attacks reported.
By Sector
Certain industries are more vulnerable to ransomware threats than others. Central government agencies, healthcare organizations, and companies in the energy and utility industry were the most targeted, with 67%- 68% of organizations in each sector experiencing a ransomware attack.
A notable example is DarkSide’s attack on Colonial Pipeline Co., which caused the company to temporarily shut down operations, disrupting the East Coast’s fuel supply for days back in 2021. Another example is the attack on Ascension Health — the largest Catholic hospital chain in the United States. The hackers locked healthcare providers out of the hospital’s system, leading to several lapses in patient care.
By Likelihood to Pay a Ransom
Cybereason’s Ransomware: The True Cost to Business 2024 report revealed that 73% of respondents had experienced a ransomware attack in the last 24 months leading up to the survey.
Up to 84% of those ended up paying the ransom, but only 47% got their data and services back uncorrupted. Sadly, 78% of these companies were attacked again, and 63% of them were asked to pay more the second time.
According to the report, 74% of leaders in the construction industry said they would consider paying the ransom in case of an attack—significantly more than in any other sector. Many construction companies handle sensitive project data and substantial financial transactions, but they often have limited cybersecurity plans. This makes them major targets for ransomware attacks that end with the ransom being paid.
On the other hand, government organizations feature at the bottom of the list, which means that — despite the sensitivity of the data and operations they may handle — the chances of them paying a ransom are low.
A possible explanation for this is that some government entities may be explicitly forbidden from accepting ransom demands. For instance, as of 2022, ransomware payments have been prohibited in the US states of North Carolina and Florida.
The overall trend regarding paying ransoms seems to be on the decline. In the fourth quarter of 2023, only 29% of victims complied with ransom demands — fewer than ever recorded. This could be due to organizations being more prepared or distrustful towards cybercriminals’ claims not to disclose compromised data.
Effects of Ransomware Attacks
Economic losses are a critical component of ransomware attacks, but the psychological, physical, reputational, and social impact on victims is often overlooked. Here are some of the effects that ransomware attacks can have on the targets.
On Organizations
Ransomware can have far-reaching consequences on organizations. According to Cybereason’s The True Cost to Businesses 2024 report, in the US, the average ransom payments in the 24 months leading up to the survey was $1.4 million. However, the cost of ransomware attacks often extends beyond the payment of the ransom.
Here are some other effects ransomware attacks can have on businesses and organizations:
- Financial loss: Experts claim that a ransom payment only makes up 15% of the total cost of ransomware attacks. Incidence report costs, legal fees, system recovery, downtime, and lost revenue account for most financial losses after an attack. According to The True Cost to Businesses 2024 report, up to 46% of impacted organizations had total business losses of $1-$10 million, while 16% lost even more.
- Reputational damage: For instance, clients may question the organization’s ability to protect their sensitive information. They may also experience delays in receiving products or services because of the attack. All in all, Cybereason’s study shows that over half (53%) of organizations that experienced a cyberattack suffered reputational damage because of it.
- Digital damage: According to The Scourge of Ransomware study, ransomware attacks that involve data encryption can have a huge negative impact on an organization’s IT infrastructure. For instance, a government agency noted that, in the aftermath of the attack, the organization lost access to all its systems and data and had to revert to working with pens and paper as a result.
On Individuals
Although not directly targeted, individuals, such as healthcare patients and staff members of a targeted organization, are often indirect victims of ransomware attacks. Ransomware incidents have caused people to lose their jobs and suffer long-term health consequences in the aftermath. Here are some examples:
- Physical effects: Ransomware attacks directed at healthcare institutions can lead to the cancellation of elective surgeries and the disruption of patient services. For example, during the Health Service Executive of Ireland ransomware attack, 5 centers stopped providing radiation therapy, disrupting 513 patients’ cancer treatment.
- Psychological effects: According to ISACA’s The Human Consequences of Ransomware Attacks report, individuals who experience a ransomware attack can feel fear, irritation, and emotional upset. They can even suffer long-term psychological consequences, like anxiety, panic attacks, depression, and PTSD. Victims can also feel a sense of shame and blame themselves for the attack.
- Reputational effects: Members of the IT team of an enterprise that has suffered a ransomware attack may suffer reputational damage, as people (including themselves) may feel like they did not do enough to prevent the attack. This is also true for staff members who clicked on a malicious link that prompted the attack.
- Financial effects: Companies may choose to lay off IT personnel, board members, or other employees after a ransomware attack. Furthermore, the majority of firms (62%, according to IBM) also increase their prices, potentially affecting current and future clients.
The Evolution of Ransomware in 2024 and Beyond
In recent years, ransomware attacks have become much more sophisticated, with new attack methods constantly emerging. Hackers are now increasingly using double and triple extortion schemes.
In the former, hackers not only encrypt the victim’s data but also threaten to publish it on the dark web unless the ransom is paid. The triple extortion tactic adds a third layer of pressure on victims beyond file encryption and data exposure, with hackers also threatening to launch a Distributed Denial of Service (DDoS) attack.
According to WatchGuard’s Internet Security Report, double extortion ransomware surged in 2023, with a 72% increase quarter over quarter. The rise could be due to emergent ransomware gangs — cybersecurity company WithSecure Oyj revealed that up to 29 of the 60 multi-point extortion gangs it was tracking in 2023 were new players.
The integration of artificial intelligence (AI) is also elevating ransomware attacks to a new level of sophistication. AI-powered ransomware has the ability to adapt and customize in real time, modifying malware code to evade detection. It can also exploit weaknesses in existing cybersecurity defenses, including zero-day vulnerabilities as well as system and software misconfigurations.
Backup attacks are another emerging trend in ransomware attacks. According to Sophos’ 2024 report, up to 94% of organizations that experienced a ransomware attack in 2023 said that the hackers attempted to compromise their backups during the attack. The report showed that victims are almost twice as likely to pay the ransom when backups are involved (67% vs. 36%).
Overall, this research suggests that the future of ransomware will likely revolve around more sophisticated, multi-point AI-powered attacks, along with the threat of dark web data leaks and the targeting of backup data.
The Biggest Ransomware Payouts to Date
The impact of ransomware attacks can be significant, leading some companies to pay substantial sums in exchange for decrypting their files. In this context, examining the biggest ransomware payouts to date sheds light on the financial toll and operational disruptions caused by these malicious incidents.
Note that this list only includes payouts that became public for one reason or another, and there could well be higher payments that remain a secret. Let’s delve into some of the most notable ransomware payouts that have occurred over recent years.
CNA Financials: $40 million
CNA Financial, a large US insurance company, was targeted in a ransomware attack conducted by the Phoenix ransomware family in March 2021. In the attack, the hackers first breached an employee’s workstation using a malicious browser update delivered via a legitimate website.
Hackers are increasingly using the tactic of embedding malware into a legitimate website, which allows them to bypass traditional security measures and infect a large number of users.
The attackers demanded a substantial ransom payment from CNA Financial to provide the decryption key necessary to unlock the encrypted files and restore normal operations. Reports indicated that CNA Financial paid approximately $40 million in ransom to the cybercriminals behind the attack. Thankfully, none of the sensitive data stolen—including customers’ names, Social Security numbers, and dates of birth—was leaked.
JBS: $11 million
The attack happened in May 2021, when the REvil ransomware group infiltrated JBS’s systems and encrypted critical data. Although the meat-processing company is based in Brazil, the attack disrupted operations across multiple facilities in the United States, Canada, and Australia.
JBS was forced to shut down its beef processing plants until the situation was resolved, impacting meat production and supply chains. The attackers demanded a ransom payment from JBS to provide the decryption key needed to unlock the encrypted files and restore normal operations. JBS ended up paying $11 million to the REvil group.
Carlson Wagonlit Travel: $4.5 million
In July 2020, the Ragnar Locker ransomware gang targeted Carlson Wagonlit Travel (CWT), a US travel management firm. In the attacks, hackers stole around 2 TB of sensitive corporate data, including thousands of global executives’ credentials, and 30,000 of the company’s computers went offline.
The hackers initially demanded $10 million in ransom payment in exchange for a promise not to leak the stolen data. However, CWT managed to negotiate the ransom amount and ended up paying $4.5 million in Bitcoin. Luckily, Ragnar Locker kept their promise to return CWT’s stolen data and even offered the company tips on how to prevent future attacks.
Colonial Pipeline: $4.4 million
The cyberattack took place in May 2021, when the DarkSide ransomware group infiltrated Colonial Pipeline’s network and encrypted critical data.
As a result of the ransomware attack, Colonial Pipeline—one of the largest fuel pipeline operators in the US—was forced to temporarily shut down operations, impacting fuel supplies along the East Coast. In response to the attack and under significant pressure due to potential fuel shortages, Colonial Pipeline opted to pay approximately $4.4 million in ransom to the DarkSide hackers.
Fortunately, the company recovered about half of the amount paid ($2.3 million in Bitcoin) thanks to the Department of Justice. The FBI stated it was in possession of a private key that unlocked a Bitcoin wallet where DarkSide stored the funds. It is unknown how the FBI gained access to the key in the first place.
Brenntag: $4.4 million
Brenntag is a German chemical distribution company. In May 2021, the DarkSide ransomware gang targeted the company’s North American branch, resulting in the seizure of 150 GB of data, including individuals’ birthdates, Social Security Numbers, driver’s license numbers, and health data.
To avoid data leaking online, Brenntag paid a $4.4 million ransom to the ransomware gang.
Travelex: $2.3 million
On New Year’s Eve 2019, the REvil ransomware group encrypted more than 5 GB of Travelex’s sensitive data, including dates of birth, social security numbers, and credit card information. The hackers initially demanded a $6 million ransom to give it back but ultimately negotiated that amount down to $2.3 million in Bitcoin.
However, the attack caused substantial reputational and financial damage to Travelex. After its parent company (Finablr) failed to sell it, PwC took responsibility for its restructuring, resulting in the loss of over 1,300 jobs.
FatFace: $2 million
In January 2021, British clothing retailer FatFace faced a ransomware attack. The Conti gang encrypted the company’s systems and stole 200 GB of data. Hackers initially demanded a ransom of $8 million, but after intense negotiations, FatFace paid just $2 million in ransom.
Two months after the attack, FatFace customers received an email informing them that their private data, including name, email, postal address, and the last four digits of their credit card had been compromised. The email is considered controversial because it asked recipients to keep the data breach private and confidential.
University of California San Francisco: $1.1 million
The NetWalker ransomware group was responsible for the cyberattack on UCSF, which is known for its medical research and patient-care services. The attack encrypted data on UCSF’s servers and systems, affecting important academic and medical information.
After an anonymous tip-off, BBC News was able to follow the ransom negotiations in a live chat on the dark web. In the end, UCSF paid $1.14 million to the ransomware gang.
Protection Against Ransomware Attacks
In today’s cybersecurity landscape, taking the necessary steps to prevent ransomware attacks is crucial. Here are a few tips on how organizations and individuals can protect themselves from ransomware attacks.
For Organizations
- Deploy endpoint protection solutions, such as antivirus software, firewalls, intrusion detection systems (IDS), and endpoint detection and response (EDR) tools to detect and block ransomware threats.
- Keep all operating systems, software, and applications up to date with the latest security patches. These usually address known vulnerabilities that ransomware attackers could exploit.
- Use complex passwords and multi-factor authentication (MFA). Make sure to change all passwords regularly.
- Implement network segmentation to isolate sensitive data and restrict unauthorized access within the network. If one segment is compromised, this will limit the spread of ransomware.
- Regularly back up critical data and ensure that backups are stored securely offline or in the cloud. This can help restore files in case of a ransomware attack.
- Conduct regular security audits and vulnerability assessments to identify weaknesses in your organization’s systems. Develop and regularly test an incident response plan that outlines the steps to take in case of a ransomware attack.
- Foster a culture of cybersecurity awareness within the organization. Teach employees how to identify phishing emails, suspicious links, and other common tactics used by cybercriminals. Ensure that they are aware of their roles and responsibilities during a security incident.
For Individuals
- Regularly update your operating system, software applications, and antivirus programs. Updates often include patches for known vulnerabilities that hackers might otherwise exploit.
- Avoid opening attachments or clicking on links from unsolicited emails, especially from unknown senders. Verify the sender’s authenticity before taking any action.
- Keep regular backups of your important files and store them securely. Ensure backups are saved on an external storage device or to the cloud to prevent them from being accessed or encrypted by ransomware.
- Create strong, unique passwords for all accounts and enable 2FA whenever possible. This adds an extra layer of security, even if your password is compromised.
- Install reputable antivirus software and keep it updated. Antivirus programs can detect and block ransomware before it can infect your system. Some antivirus programs offer specific ransomware protection features that can detect and stop ransomware attacks.
Conclusion
Ransomware attacks continue to pose significant risks to businesses worldwide, with cybercriminals employing increasingly sophisticated tactics to extort payments from their victims.
After examining the financial, operational, and reputational implications of falling victim to ransomware incidents, it becomes evident that the costs of such attacks extend far beyond the ransom demands. It’s crucial that organizations recognize the importance of implementing robust cybersecurity measures, incident response protocols, employee training programs, and regular security assessments to mitigate these risks effectively.