Global Cyber Incidents in 2024 Driven by Data Theft, with Ransomware Defenses Growing More Complex
Research reveals that data theft was responsible for the majority of cyber incidents globally in 2024, showing a trend where cyber attackers are combining data exfiltration and encryption in their ransomware tactics.
In addition to encryption, cyber attackers using ransomware are now resorting to threats of exposing or selling a company’s data on the dark web if ransom demands are not met. This stolen information often includes sensitive personal data and valuable intellectual property.
The insights are derived from the 2024 Ransomware Trend Report by BlackFog, which examined ransomware activities in hundreds of cyber attacks against organizations worldwide throughout the year.
The report indicates that on average, 592 GB of data was stolen in undisclosed data exfiltration attacks, with disclosed and undisclosed cyber incidents increasing by 25% and 26% respectively compared to the previous year.
Dr. Darren Williams, the founder and CEO of BlackFog, stated in a press release: “The year 2024 highlighted the significant challenges faced by organizations dealing with the financial and reputational repercussions of ransomware attacks. Sectors holding high-value assets were under immense pressure to pay ransoms for the restoration of their operations.”
According to IBM’s Cost of Data Breach report, the average cost of a ransomware attack involving data exfiltration in 2024 amounted to $5.21 million.
“With cybercriminals continuously improving their tactics to exploit vulnerabilities and execute large-scale attacks, the defense against ransomware is growing more intricate,” Dr. Williams emphasized. “Despite governments intensifying efforts to combat this escalating threat, such as introducing mandatory reporting of ransomware incidents, the global ransomware crisis shows no signs of slowing down.”
Growing Attraction of Legitimate Tools Among Ransomware Attackers
In September 2024, researchers in cybersecurity uncovered a ransomware variant applying double-extortion techniques targeting VMware ESXi servers. This variant not only encrypted the data but also made copies of it. Ransomware groups are also utilizing legitimate file transfer protocols to facilitate their attacks.
EXPLORE: Microsoft’s Insights on Ransomware Groups Exploiting Newly-Patched VMware ESXi Flaw
BlackFog’s data revealed that PowerShell was deployed in 56% of ransomware incidents in 2024, indicating how attackers are increasingly using “authorized” tools and platforms to breach networks, establish a presence, and extract data without triggering alerts from various endpoint security systems.
High-Profile Sectors Endure Continuous Threats
The manufacturing, services, and technology sectors witnessed the highest number of undisclosed cyber attacks, often identified as prime targets due to their critical operational nature, extensive digital presence, and substantial amounts of sensitive data.
Among disclosed attacks, healthcare, government, and education sectors were the most commonly targeted, contributing to 47% of all ransomware-related headlines in 2024. The retail industry witnessed a significant surge with disclosed attacks rising by 96%, with notable victims like Starbucks, Sainsbury’s, Morrisons, London Drugs, and Krispy Kreme.
Evolution of Ransomware Groups: Established Players and Emerging Threats
LockBit retained its position as the most active ransomware group, targeting 603 reported victims. This continued despite a significant law enforcement operation in February 2024, led by agencies like the U.K. National Crime Agency’s Cyber Division, the FBI, and other global partners. Although LockBit’s ransomware-as-a-service platform was briefly disabled, the group resumed activities shortly after on a new dark web domain.
Nevertheless, payments to LockBit decreased by 79% in the latter half of the year, as per findings from Chainalysis.
Identified as the second most active ransomware group in 2024, RansomHub emerged as a new threat in February 2024, gaining notoriety through attacks on Kawasaki, a global manufacturer, and Halliburton, an oil and gas services company.
Medusa and Play occupied the third spot in disclosed and undisclosed incidents, respectively.
Rise of AI-Driven Ransomware Groups
In October, a Cyberint report highlighted a peak in the number of active ransomware groups during Q2 of 2024, with new and smaller groups entering the scene.
An alert from the U.K.’s National Cyber Security Centre in January 2024 predicted a growth in ransomware threats due to the increasing accessibility of AI technologies, lowering the entry barriers and enabling even inexperienced threat actors to carry out sophisticated attacks.
BlackFog’s analysis corroborated these predictions, showing that 48 new ransomware groups emerged in 2024, marking a 65% increase from the previous year. More than half of all ransomware incidents in the final two months of 2024 were attributed to these newly established groups.
About Author
