Ransomware Activity Breaks Record in Q4 2024

Ransomware activity reached the highest level of any single quarter recorded to date in Q4 2024, with 1,663 victims posted on leak sites, according to the “Q4 2024 Cyber Threat Report” by Travelers and Corvus Insurance. This breaks a record of 1,330 victims that was held since Q3 2023 and represents a 32% increase from Q3 2024.

In 2024, 5,243 total victims were posted on leak sites, a 15% increase from the 4,548 incidents recorded in 2023. “Globally, these attacks exposed over 195 million records according to one study, while other research estimated the total payments to ransomware groups at $813 million for the year.” The number, although high, represents a 35% decrease in ransomware revenue from the prior year.

“A reasonable conclusion from the simultaneous increase in attacks and drop in revenue is that more organizations are better equipped to stand up to attackers by refusing to pay and accepting the consequences. While this marks progress of a sort in blunting financial losses from ransomware, it unfortunately does not mean an end to the costs of business disruption, IT system restoration, litigation, and regulatory fines for exposed records.” As a result, a ransomware attack is impactful whether a ransom is paid or not, and vigilance by businesses is crucial. 

A Shift in Attack Style

“Looking back to the previous peak of ransomware activity, the third quarter of 2023, much of the increase in ransomware leak site activity was attributed to opportunistic exploits of vulnerabilities found in common networking and software products,” states the report. “At that time, we saw several ransomware groups pounce on major vulnerabilities and exploit as many victims as possible in a short period of time.”

Researchers contrast this style of activity with that of 2024, which saw “ransomware actors instead find reliable and repeatable methods to gain access to victim networks, such as targeting weak credentials on VPN and gateway accounts that weren’t protected by multifactor authentication.” This shift, according to the report, had been months in the making after the leak of a ransomware training book in the summer of 2023.

“Written by an ‘initial access broker’—a threat actor who specializes in gaining and selling illicit access to business systems—the manual laid out a surprising strategy. Rather than focusing on discovering the next zero-day vulnerability, it advocated targeting widely-used VPNs with weak credentials to uncover opportunities. The author instructed attackers to use a variety of tools to look for default usernames like ‘admin’ or ‘test’ and try combinations of common passwords. The approach has worked surprisingly well.”

The researchers began seeing claims resulting from this type of activity throughout the second half of 2023, starting with VPNs and expanding to other remote access technologies, according to the report. “Evidence suggests that in 2024, the methodology spread among initial access brokers and ransomware operators and permitted them to proactively hunt for profitable targets at an impressive scale.”

Nation-State Activity

The report notes that security researchers have found increasing connections between nation-state threat actors and criminal ransomware groups. “Notably, per [the Cybersecurity and Infrastructure Security Agency (CISA)], cyber actors such as Pioneer Kitten have continued to coordinate efforts with groups like ALPHV by selling access to compromised networks or helping to carry out the encryption efforts. Additionally, recent connections have been identified between the threat actor tracked as Jumpy Pisces and the Play ransomware group. According to Unit42 researchers, Jumpy Pisces has been identified as either ‘acting as an initial access broker (IAB) or an affiliate of the Play ransomware group.’ These are generally well-resourced and can bring a new level of sophistication to attacks,” explains the report.  

Ransomware Group Activity

Throughout 2024, new players in the ransomware world emerged and established groups adjusted their strategies, and Q4 was no different. “RansomHub continued to be a major threat, accounting for 238 attacks, or just over 14% of the quarter’s total. Well-established groups like Akira and PLAY maintained a consistent presence, contributing 133 and 95 attacks, respectively, while newer threat actors like Kill Security and Fog contributed to the share of the quarter’s activity.”

The turnover of the primary ransomware groups from 2023 (LockBit 3.0, AlphVM and CL0P) can be largely attributed to law enforcement disruption of these platforms, which opened the door for new operators, according to the report. “In 2024 alone, 55 new ransomware groups emerged—a 67% increase in group formation from the previous cybercrime ecosystem.”

One significant development in Q4 was the emergence of FunkSec, a “puzzling” new ransomware group,” the report states. “Despite their aggressive presence, FunkSec has drawn attention for unusual reasons. Security researchers have raised questions about their credibility, particularly after reports suggested that FunkSec lacks the technical expertise typically seen in advanced ransomware operations. Moreover, FunkSec’s claims of association with defunct hacktivist groups and their suspiciously recycled data on leak sites have led to further scrutiny. These factors have raised doubts about the group’s true capabilities and objectives.”

Some analysts believe FunkSec may be overstating its achievements to gain notoriety or manipulate public perception; however, it appears that the group is relying heavily on AI tools to develop its code, which has not been observed often by established groups in the ransomware ecosystem.

Trends

A noteworthy trend from 2024 is the increased targeting of IT services and consulting firms, according to the report. “These entities often act as intermediaries for other industries, amplifying the impact of an attack through their connections to multiple clients. Government administration, while not as dominant as other sectors, experienced a surge in late 2024.”

In addition to IT services and consulting firms, the construction sector remained a primary target in 2024, with 129 attacks recorded in Q4 alone, and a 56% increase in attacks year-over-year. Hospitals and healthcare organizations also faced persistent threats, with attacks rising from 166 in 2023 to 210 in 2024. Other notable targets included law practices and financial services, underscoring the broad spectrum of industries vulnerable to ransomware activity.”