The initial six months of 2024 have showcased yet another peak period for ransomware assault expenses, causing substantial repercussions on a global scale for clients, services, and financial outcomes. For instance, ponder on these news items:
The HIPAA Journal — Change Healthcare Estimated to Incur Costs of at Least $2.3B in 2024 due to Ransomware Attack: “UnitedHealth Group (UHG) has released an update on the expenses linked to its handling of the February 2024 ransomware incident affecting Change Healthcare. The current estimation for the overall expenses is now projected to range between $2.3 billion and $2.45 billion for this year, surpassing the initial projections by over $1 billion. UHG has already disbursed nearly $2 billion towards managing the aftermath of the ransomware breach, which led to significant disruptions to service providers nationwide due to extended service outages.”
Spiceworks — CDK Global Operational Disruption Resolved After Paying Ransom Worth $25 Million: “The cyber assault commenced on June 19, 2024, with an infiltration of CDK Global’s systems. This caused software outages that brought operations to a standstill at car dealerships across the nation. CDK Global quickly endeavored to reinstate their systems following the attack, a process that took approximately two weeks.
“As a result, car dealerships were compelled to resort to manual backup procedures, leading to significant sales and service delays, resulting in substantial financial setbacks. The Anderson Economic Group’s research outlined that automobile dealerships suffered losses exceeding a billion dollars during the service interruptions.”
Government Technology — Florida Department of Health Struck by Ransomware Attack: “An assault by ransomware on the Florida Department of Health has reportedly disrupted the state’s capacity to issue birth and death certificates, while also jeopardizing the security of sensitive patient data. According to a report on the dark web, the ransomware syndicate RansomHub claimed to have seized 100 gigabytes of data, declaring intentions to publish it by Friday if the demanded ransom is not paid, as disclosed by the Tampa Bay Times . However, Florida legislation forbids state and local authorities from succumbing to ransom demands, as not all cyber wrongdoers adhere to their promises even when compensated.”
FRESH RANSOMWARE REPORTS
Sophos recently rolled out their annual publication: The State of Ransomware in Critical Infrastructure 2024. This report encapsulates insights from an autonomous, vendor-neutral survey of 5,000 executives overseeing IT/cybersecurity in 14 nations, conducted in January and February 2024.
Here lies their approach and noteworthy discoveries:
- Encompassed 275 participants from the energy, oil, and gas, as well as utilities sectors — categorized under the Energy and Water divisions of CISA’s defined 16 critical infrastructure segments.
- Recovery expenses for energy and water utility firms surged to $3 million within a year.
- 49% of ransomware incidents against these two pivotal infrastructure categories originated from exploited vulnerabilities.
- 67% of entities within these sectors reported ransomware assaults in 2024.
- Merely 20% of enterprises hit by ransomware managed to restore operations within a week or less in 2024, dropping from 41% in 2023 and 50% in 2022 (with energy and water sectors facing extended recovery durations).
I also discovered this intriguing excerpt: “86 respondents from energy, oil/gas, and utilities organizations, whose firms disbursed the ransom, disclosed the actual sums paid.
- Median payment: $2,540,000
- Mean payment: $3,225,093
“Ransom amounts exhibit variance across industries. The information technology, technology, and telecom sectors reported the lowest median ransom payout ($300,000), trailed by distribution and conveyance ($440,000). At the opposite end of the spectrum, both the educational sector and central/federal government had median ransoms of $6.6M.”
Meanwhile, BlackFog circulated their monthly ransomware update for June, showcasing these highlights:
“June witnessed a slight decline in the overall threat numbers for the year, observing a total of 45 attacks. While still historically substantial, this represents the second highest June statistics on record. It underlines how commonplace these assaults have become. Despite the reduced number of attacks for the month, the ratio of undisclosed attacks remains elevated at 774%, highlighting the sheer prevalence of unreported incidents.
“The healthcare sector took the spotlight this month with a 25% surge from May, followed by government and technology with increments of 23% and 21%, respectively. Unlike most months, the education industry witnessed a significant downturn from the usual record-breaking activity, registering merely an 8% increase.
“In terms of variations, the Play variant saw the most significant uptick this month with a 33% boost in attacks, trailed by Black Basta and Medusa with 14% and 13%, respectively. This follows the considerable surge in undisclosed Medusa attacks last month, typically signaling disclosed attacks in the ensuing months. While Lockbit remains the dominant variant by a considerable margin, its growth was only marginal at 3% this month.
“Moreover, data exfiltration is currently involved in 93% of all assaults, with PowerShell leading at 62%, marking an 11% upsurge from the previous month. China and Russia continue to reign as the primary destinations for exfiltrated data at 15% and 6%, respectively.”
Another report worth mentioning. ReliaQuest unveiled this blog on Q2 2024 ransomware insights. Here are some highlights:
- “In Q2 2024, ReliaQuest identified 1,237 organizations listed on ransomware data-leak platforms, marking a 20% increase from Q1 2024. This quarter’s ransomware pattern exhibited fluctuations month-over-month. 43% of organizations featured on data-leak sites were reported in May, following remarkably low figures in June. These statistics deviate from previous growth rates, signaling potential disturbances within the ransomware-as-a-service network impacting their figures.
- “Following law enforcement actions against LockBit in February 2024 and the dissolution of ALPHV, newer groups like RansomHub, BlackSuit,and BlackBasta have enlisted fresh associates and boosted their operations. ReliaQuest foresees a gradual surge in ransomware activities orchestrated by emerging factions in the latter part of 2024 as partners adapt to new overseers.
- “In the second quarter of 2024, LockBit endeavored to bounce back from a substantial enforcement undertaking. Highlighting 179 impacted entities in May alone, the syndicate likely strove to reestablish prominence and refute assertions made by law enforcement regarding their dismantling.” Forecasts indicate diminishing LockBit operations in the upcoming months as the syndicate grapples to maintain credibility among affiliates.
- “The United States, along with the manufacturing and the professional, scientific, and technical services (PSTS) sectors, continue to be the primary focal points for ransomware factions. The upsurge in PSTS entities being targeted mirrors the escalated focus on tech firms in supply-chain intrusions.
- “In the forthcoming quarter, there is an expected uptick in ransomware activities. Nonetheless, the growing frequency of law enforcement crackdowns on ransomware factions and the accessibility of free decryption keys may bring about an overall decline in ransomware occurrences in the mid- to long-term.
- “ReliaQuest anticipates continued breaches ensuing from supply-chain breaches and exposed logins by ransomware factions in the upcoming quarter. Hence, it is vital for establishments to maintain current software versions and adopt digital risk protection (DRP) platforms to avert initial penetrations.”
Here’s a session from the 2024 RSA Conference addressing the ransomware threat landscape, supported by various references:
RANSOMWARE-RELATED ITEMS AND MY OBSERVATIONS
In May of 2023, following a slower 2022 concerning ransomware, I penned: “Are We Seeing Fewer Ransomware Attacks? Not Now!” Those trends appear to be persisting into 2024.
Furthermore, as I traverse the nation delivering speeches stemming from my publication Cyber Mayday and the Day After, which chronicles authentic accounts about ransomware from the perspective of C-Suite executives, the curiosity and genuine interest in the subject continue to burgeon.
We must revisiting many of the same themes I have previously tackled (leading to the book), as these cybersecurity challenges are progressively escalating, despite the concerted efforts of numerous parties. In certain instances and sectors, fresh personnel may be unfamiliar with the predicaments and remedies available.
This piece from Healthcare IT Today delineates recommendations for healthcare institutions following the Ascension Healthcare ransomware incident.
I would be negligent not to reference the unparalleled global ramifications of the Crowdstrike software update glitches, which are hampering businesses, airports, and administrations worldwide as of my blog composition on Friday, July 19. While this scenario is dynamically evolving, it serves as a reminder of the enormity of the stakes entwined with technology — even if this wasn’t a cyber incursion. Numerous articles will be penned on this subject, yet irrespective of one’s perspective, cybersecurity once again has the world’s undivided attention. (Even if, in this instance, it involves a cybersecurity firm erroneously hindering malware).
FINAL THOUGHTS
Wired magazine recently discussed this ransomware discourse, encapsulating it aptly with their headline: “Ransomware Is ‘More Brutal’ Than Ever in 2024.”
About Author
