In the initial months of 2024, ransomware attacks have once again set new cost records, causing widespread repercussions on a global scale for clients, services, and financial standings. For instance, take a look at these recent news stories:
The HIPAA Journal — Change Healthcare Ransomware Attack Estimated to Exceed $2.3 Billion in Costs for 2024:
“UnitedHealth Group (UHG) has shared an update on the expenses incurred due to the ransomware attack on Change Healthcare in February 2024. The total outlay for managing this cyber incident is now anticipated to range between $2.3 billion and $2.45 billion for this year, surpassing the previous estimate by over $1 billion. UHG has already disbursed nearly $2 billion in dealing with the aftermath of the ransomware attack, which led to extensive disruptions for healthcare providers nationwide owing to prolonged service outages.”
Spiceworks — CDK Global Restores Operations Following $25 Million Ransom Payment:
“The breach of CDK Global’s systems, which commenced on June 19, 2024, triggered software disruptions that paralyzed car dealerships across the country. CDK Global worked fervently to revive its systems post-attack, a process that spanned approximately two weeks.
As a result, automotive dealerships had to resort to manual procedures, leading to significant sales and service delays and incurring substantial financial losses. According to findings by the Anderson Economic Group, these dealerships collectively suffered losses exceeding a billion dollars during the outage.”
Government Technology — Florida Department of Health Hit by Ransomware Attack:
“An attack on the Florida Department of Health disrupted the state’s ability to issue vital documents like birth and death certificates, potentially jeopardizing the confidentiality of sensitive patient data. RansomHub, a ransomware syndicate, claimed on the dark web to have stolen 100 gigabytes of data, which they threatened to expose by the upcoming Friday unless a ransom was paid, as reported by the Tampa Bay Times. However, legislation in Florida prohibits state and local governments from succumbing to ransom demands, as not all cybercriminals honor their pledges after receiving payment.”
LATEST RANSOMWARE REPORTS
Recently, Sophos published their annual report titled: The State of Ransomware in Critical Infrastructure 2024. The report features insights from an impartial survey conducted among 5,000 leaders responsible for IT/cybersecurity duties across 14 nations during January and February 2024.
Here are the details of their research methodology and key discoveries:
- The study involved 275 participants from energy, oil, and gas, as well as utility firms falling within the Energy and Water sectors, as defined by CISA’s critical infrastructure categories.
- Recovery expenditures for energy and water utilities surged to $3 million within a year.
- Almost half of the ransomware attacks on these key infrastructure segments originated from exploited vulnerabilities.
- 67% of organizations within these sectors reported ransomware incidents in 2024.
- Only a fifth of the affected entities managed to recover within a week or less during 2024, a decline from 41% in 2023 and 50% in 2022 (energy and water sectors experience lengthier recovery durations).
An intriguing point from the report states, “86 respondents from energy, oil/gas, and utilities, whose organizations paid the ransom, divulged the actual sums paid.
- Median payout: $2,540,000
- Mean payout: $3,225,093
“Ransom amounts significantly vary across sectors, with the IT, technology, and telecom sectors reporting the lowest median ransom payout ($300,000), followed by distribution and transport sectors ($440,000). Conversely, both lower education and central/federal government institutions reported median ransoms of $6.6M.”
Additionally, BlackFog released their monthly ransomware report for June, outlining these noteworthy points:
“June saw a slight reduction in overall threat figures compared to previous periods, with a total of 45 ransomware incidents. While this decline is notable, the number remains considerably high compared to historical data, underscoring the normalization of such threats. Despite the dip in attacks, the proportion of unreported incidents remains alarmingly high at 774%, emphasizing the substantial number of attacks that continue to go unnoticed.
“Healthcare emerged prominently this month with a 25% rise from May, followed by government and technology sectors witnessing increases of 23% and 21% respectively. Notably, the education sector recorded a moderate 8% upsurge, a departure from its usual heightened activity levels in previous months.
“Regarding attack variants, Play exhibited the most significant growth this month with a 33% increase in attacks, followed by Black Basta and Medusa at 14% and 13% respectively. This pattern follows a previous surge in unreported attacks involving Medusa, often foretelling disclosed attacks in upcoming months. While Lockbit remains the primary variant by a substantial margin, its growth was modest at 3% during this period.
“Furthermore, data exfiltration was involved in 93% of all attacks, with PowerShell serving as the leading vector at 62%, marking an 11% upturn from the prior month. China and Russia maintained their dominance as the primary destinations for exfiltrated data at 15% and 6% respectively.”
Lastly, ReliaQuest published a blog offering insights into ransomware trends in Q2 2024. Here are some salient points from their report:
- “During Q2 2024, ReliaQuest identified 1,237 entities listed on ransomware data exposure sites, representing a 20% increase from Q1 2024. This quarter’s ransomware patterns have shown monthly fluctuations, with 43% of the entities being listed in May, followed by remarkably low numbers in June. These figures deviate from past growth rates, indicating significant disruptions within the ransomware-as-a-service ecosystem that affect reporting volumes.
- “Following law enforcement actions against LockBit in February 2024 and the dissolution of ALPHV, new groups such as RansomHub, BlackSuit,…”and BlackBasta have enticed fresh partners and escalated their engagement. ReliaQuest foresees a consistent surge in ransomware operations from novel factions in the latter part of 2024 as partners adapt to recent controllers.
- “In the second quarter of 2024, LockBit made efforts to bounce back from a significant crackdown by law enforcement. By announcing 179 impacted organizations solely in the month of May, the faction likely aimed to reclaim prominence and refute the statements made by law enforcement concerning the disruption of the faction. We anticipate a notable decline in LockBit activities in the forthcoming months as the faction grapples to sustain trust among partners.
- “The primary targets of ransomware factions continue to be the US, as well as the manufacturing and professional, scientific, and technical services (PSTS) sectors. The rise in targeting of PSTS entities mirrors an escalation in attacks on technology firms through supply-chain infiltrations.
- “In the next quarter, a gradual uptick in ransomware operations is anticipated. However, the heightened frequency of law enforcement activities aimed at ransomware factions and the widespread availability of free decryption keys might result in an overall decrease in ransomware activities in the medium to long run.
- “ReliaQuest foresees ongoing assaults emanating from supply-chain breaches and leaked credentials perpetrated by ransomware factions in the forthcoming quarter. It is imperative for organizations to maintain updated software and enforce digital risk protection (DRP) solutions to hinder initial breaches.”
Here’s a session from the 2024 RSA Conference discussing the ransomware threat landscape with references:
RANSOMWARE-RELATED ITEMS AND MY OBSERVATIONS
In May of 2023, following a relatively slow 2022 in terms of ransomware incidents, I penned: “Are We Observing Fewer Ransomware Attacks? Not at Present!” These patterns appear to persist into 2024.
In addition, as I traverse the country and deliver presentations stemming from my publication Cyber Mayday and the Day After, which narrates true accounts about ransomware as witnessed by C-Suite executives, the curiosity and intrigue about the subject continues to mount.
We must revisit many of the same themes I previously explored (that led to the book), as cyber challenges persist in accelerating, notwithstanding the diligent efforts of many. In certain scenarios and domains, new personnel are unfamiliar with the challenges and available remedies.
This piece from Healthcare IT Today proposes recommendations for healthcare entities following the Ascension Healthcare ransomware incident.
I would be negligent if I didn’t mention the unparalleled global ramifications of the Crowdstrike software update problems, which are paralyzing businesses, airports, and governments worldwide as I draft this blog on Friday, July 19. While this situation is rapidly evolving, it serves as a reminder of the gravity of technological risks — even if this wasn’t a cyber assault. Numerous articles will be published on the subject, but irrespective of your perspective, the world is once again focusing on cybersecurity. (Even if, in this case, it involves a cyber corporation trying to halt malware but making an error.)
CONCLUDING REMARKS
Wired magazine recently covered the ransomware subject, and their headline encapsulates it succinctly: “Ransomware Is ‘More Merciless’ Than Ever in 2024.”
About Author
