Global ransomware attacks, demands, and payments increased in Q2 2024, according to Corvus’s Q2 Cyber Threat Report, entitled, “Ransomware Season Arrives Early.” The report found that the average ransomware demand reached $1,571,667, representing a 102% quarterly increase and the highest figure Corvus has reported since Q2 2022.
“Q2 of 2024 witnessed an alarming 1,248 ransomware victims posted to leak sites, positioning it as the second most prolific quarter on record by that measure of activity,” states the report. “That represents a 16% increase from the previous quarter and a sustained 8% year-over-year- rise.”
CLM member Brian Gibbons, partner, Wade Clark Mulcahy LLP, comments, “The uptick in both ransom demands and payments comes as no surprise. Threat actors are becoming more sophisticated, as are cyber protections employed by their targets. And ironically, effective cyber protections require that threat actors must penetrate more targets before effectuating a breach, and thus, may feel justified in enhanced ransomware demands.”
Industry Insights
The construction industry has moved from the second most frequently targeted industry to the first in Q2 2024, according to the report, followed by the IT services and software development sector, which experienced noteworthy increases in ransomware incidents. “Those sectors are particularly vulnerable as they represent a form of ‘systemic risk,’ since any issues they encounter can have extensive ripple effects that disrupt operations for numerous downstream clients,” according to the report. “Even smaller IT firms can trigger widespread outages among their clientele if their systems are compromised or if attackers leverage their networks to target connected entities.”
Ransomware Group Activity Trends
“As some ransomware groups fade away—like the unexpected departure of the ALPHV(BlackCat) group in Q1…others quickly emerged in Q2 to fill the void, including PLAY, Medusa, RansomHub, INC Ransom, and Blacksuit, among other lesser-known factions,” states the Corvus report.
“In the case of the LockBit ransomware gang, law enforcement’s actions against the group earlier in the year had a significant impact. In an announcement, international law enforcement unmasked the principal orchestrator of LockBit, which resulted in the imposition of OFAC sanctions against him,” the report explains. “These sanctions further complicate the process of ransom payments and casts further doubt on the group’s ability to sustain its operations moving forward. To date, there has been no indication of the group reverting to its previous levels of activity.”
However, the report continues, “it’s worth noting that LockBit did experience a sudden resurgence in May that came as a surprise, before activity dropped back down. After examining the daily activity on the LockBit leak site, it seems that the abrupt surge in listed victims coincided with that announcement. The leader of the LockBit gang has a history of seeking attention through publicity stunts…This sudden burst of activity may have been in response to or in anticipation of law enforcement actions.” Following the surge, LockBit’s operations have persisted at a significantly reduced capacity.
Backups: Critical Tools to Avoid Worst Outcomes
“Given that ransomware’s primary goal is to render data inaccessible through encryption, those without robust backups are more likely to have their hand forced in a ransom situation—2.38 times more likely to pay a ransom, to be exact, according to recent Corvus claims data,” states the report.
Furthermore, organizations with effective backup strategies, “including immutable backups and what [Corvus refers to] as a ‘3-2-1’ strategy, wherein multiple copies of data are stored in locations that are segregated from the primary network, tend to fare better financially even if they do end up having some costs associated with an incident.”
The report emphasizes, however, that backups are not bulletproof and do not eliminate risk entirely. “Ransomware operators have evolved their tactics, recognizing that many organizations possess valuable and sensitive information,” states the report. “They exploit this by engaging in double-extortion schemes—they not only encrypt the data, but they also exfiltrate (steal) it, threatening to release it on the dark web. In 2024, data theft was involved in 93% of ransomware incidents among Corvus policyholders, a dramatic increase from a rate of less than 50% as recently as 2022.”