Reporting ransomware attacks: Steps to take Enterprise ransomware prevention measures to enact in 2021
X

Ransomware trends, statistics and facts heading into 2024

Supply chain attacks, double extortion and RaaS are just a few of the ransomware trends that will continue to disrupt businesses in 2024. Is your industry a top target?

While ransomware is not a new cybersecurity risk, it is a threat that continues to receive attention at the highest levels of government around the world. Ransomware has affected people's ability to get healthcare, put gas in their vehicles and buy groceries.

The financial effects of ransomware have also become particularly pronounced in recent years. Attacks hit supply chains, causing more widespread damage than an attack against a single individual. There has also been an increased response from government and technology vendors to help stem the tide of ransomware attacks.

Ransomware trends that will continue in 2024

A few key ransomware trends have emerged in recent years that will likely continue into 2024 and beyond. Attackers realized that certain techniques yield better results and focused on those approaches. Here are some of the primary trends for ransomware in recent years:

  • Supply chain attacks. Instead of attacking a single victim, supply chain attacks extend the blast radius. One such example was an exploit in the Moveit Transfer software product from Progress software that led to large-scale ransomware attacks by the Clop ransomware gang. Over the last several years there have been multiple such incidents, including the Kaseya attack, which affected at least 1,500 of its managed service provider customers, and the SolarWinds hack.
  • Triple extortion. In the past, ransomware was about attackers encrypting information found on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. With triple extortion ransomware, attackers also threaten to leak data unless paid. Triple extortion has been used by multiple threat actors, including Vice Society in an attack against the San Francisco Bay Area Rapid Transit system.
  • Ransomware as a service (RaaS). Gone are the days when every attacker had to write their own ransomware code and run a unique set of activities. RaaS is pay-for-use malware. It lets attackers use a platform that provides the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.
  • Attacking unpatched systems. This is not a new trend, but it is one that continues to be an issue. While there are ransomware attacks that make use of novel zero-day vulnerabilities, most continue to abuse known vulnerabilities on unpatched systems.
  • Phishing. While ransomware attacks can infect organizations in different ways, some form of phishing email was more often than not a root cause. With the rise of generative AI, it has become easier than ever before for attackers to craft well-written phishing lures.

Ransomware statistics

The statistics listed below provide insight into the breadth and growing scale of ransomware threats:

  • According to the Verizon 2023 Data Breach Investigations Report (DBIR) ransomware attacks were involved in 24% of all breaches.
  • Ransomware affected 66% of organizations in 2023, according to Sophos' "The State of Ransomware 2023" report.
  • Since 2020, there have been more than 130 different ransomware strains detected, according to VirusTotal's "Ransomware in a Global Context" report:
    • The GandCrab ransomware family was the most prevalent, comprising 78.5% of all samples received.
    • Ninety-five percent of all the ransomware samples were Windows-based executable files or dynamic link libraries.

Ransomware statistics by industry

Ransomware can hit any individual or industry, and all verticals are at risk. That said, ransomware attacks have affected some verticals more than others and will continue to be an issue for years to come. The following are the top 13 ransomware targets by industry:

  1. Education.
  2. Construction and property.
  3. Central and federal government.
  4.  Media, entertainment and leisure.
  5.  Local and state government.
  6.  Retail.
  7.  Energy and utilities infrastructure.
  8.  Distribution and transport.
  9. Financial services.
  10.  Business, professional and legal services.
  11. Healthcare.
  12. Manufacturing and production.
  13. IT, technology and telecoms.

Costs of ransomware attacks and payment trends

The costs attributed to ransomware incidents vary significantly, depending on the reporting source. Different points of view from both the private and public sector provide some visibility into the cost and payment trends for ransomware attacks:

  • According to the Verizon 2023 DBIR, 93% of ransomware incidents did not result in any loss. While not every ransomware victim pays a ransom or incurs a cost, some do.
  • Of all cyber insurance claims, 19% were ransomware-related in the first half of 2023, according to the "Coalition 2023 Cyber Claims Report." The severity of ransomware claims reached a record high, with the average loss amount more than $365,000.
  • The median ransomware demand was $650,000, though the actual median ransomware payment was 46% less at $350,000, according to the "2023 Unit 42 Ransomware and Extortion Threat Report."

Recent ransomware attacks

There have been many ransomware attacks in recent years affecting organizations and their customers. The following are some notable recent attacks:

MoveIt ransomware attacks. The most noteworthy ransomware incident in 2023 was the barrage of organizations that became victims to the MoveIt Transfer attacks from the Clop ransomware group. The flaw in the Progress Software managed file transfer product tracked as CVE-2023-3462. Though the flaw was first publicly detailed on May 31, 2023, it was the leading cause of ransomware disclosures for months afterward. Among the many victims of the MoveIt flaw were multiple U.S. government agencies, the BBC, British Airways (BA), HR software provider Zellis and the government of the Canadian province of Nova Scotia. In August 2023, some analysts had estimated that the Moveit attack was responsible for more than 600 breaches.

Royal Mail. In January 2023, the British Royal Mail service was hit by the LockBit ransomware group, making an $80 million ransom demand.

Dallas, Texas. The city of Dallas was affected by a wide-ranging ransomware attack in May 2023.

TSMC. In June 2023, Taiwan Semiconductor Manufacturing Company (TSMC) was allegedly breached by ransomware from the LockBit ransomware gang, due to a breach at its partner Kinnmax. The attacker demanded $70 million in ransom.

MGM Resorts and Caesars Entertainment. In September 2023, a pair of Las Vegas hotel and casino operators were struck by debilitating ransomware attacks that had significant effect on operations.

Boeing. In November 2023, aerospace giant Boeing confirmed it had been the victim of a cyberattack. The LockBit ransomware gang claimed credit for the incident.

TechTarget Editorial has compiled a comprehensive list of publicly disclosed U.S ransomware attacks.

Ransomware predictions

Ransomware didn't start recently, and it won't end anytime soon either. Ransomware will likely continue to evolve in a few different ways. Here are some predictions on the direction that ransomware will take in the years ahead:

  • Attack methods will evolve to exploit cloud and VPN infrastructure. Security vendor Norton LifeLock warns 2024 could bring new forms of VPN and cloud infrastructure exploitation that leads to ransomware payload delivery. 
  • Software supply chain attacks will continue. Security vendor Trend Micro predicts there will be more software supply chain attacks in 2024. Trend Micro expects the big risk to come from continuous integration and continuous delivery systems.
  • Generative AI could be a real problem. The rise of generative AI was a pervasive topic across the IT landscape in 2023. The ability for attacks to use generative AI in 2024 could lead to more advanced phishing campaigns and ransomware exploitation.

How to protect against ransomware attacks

Organizations and individuals can take steps to mitigate ransomware attacks. But there is no silver bullet that will solve or defend against ransomware. What's needed is a multilayered approach to improve IT security overall. There are six key steps to safeguard assets against ransomware risks:

  1. Maintain a defense-in-depth security program. Ransomware is just one of many risks that IT users face. Having multiple layers of defense is a key best practice.
  2. Consider advanced protection technologies. The use of extended detection and response can help organizations identify potential risks that could lead to ransomware exploitation.
  3. Educate employees about the risks of social engineering. More often than not, it's users clicking on something they shouldn't that leads to infection. Education and vigilance are important.
  4. Patch regularly. Ransomware code often targets known vulnerabilities. By keeping software and firmware updated, a possible attack vector can be eliminated.
  5. Frequently back up critical data. Ransomware's target is data. By having reliable backups, the risk of losing data can be minimized.
  6. Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the right process is in place to mitigate and recover from a potential attack.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Next Steps

Types of ransomware and a timeline of attack examples

Top ransomware attack vectors and how to avoid them

Cybersecurity books to read

The biggest ransomware attacks in history

How to prevent ransomware

Dig Deeper on Threats and vulnerabilities