According to Cybernews tool Ransomlooker’s data, nearly 5,300 ransomware victims were reported last year, a whopping 26% increase from the previous year. Ransomware operators continue to prove their uncanny versatility, even though 2024 was marked by significant and far-reaching attempts from law enforcement to curb attacker activity.
Ransomlooker’s top attackers
Interestingly, LockBit, pronounced dead after the highly publicized operation Cronos in early 2024, still secured the top spot among cybercrooks. This made it the gang’s third consecutive year on the throne.
Worth noting, however, that LockBit’s position severely weakened last year as the number of the gangs’ victims fell to around 530, a 50% decrease. Given the whole ransomware scene widened by a quarter, the gang’s actual fall is even more spectacular.
Emerging in 2024, RansomHub sprinted straight to the top, victimizing nearly 500 organizations and showing a startling ability to scale operations apace.
Meanwhile, the Play ransomware gang has entrenched itself in third place, holding the title for a second year in a row with nearly 350 victims. The gang focused its efforts on targeting sectors like manufacturing/industrial, real estate/construction, and technology.
At the same time, LockBit mostly targeted manufacturing/industrial, technology, and retail industries, while RansomHub put the most effort into victimizing real estate/construction, manufacturing/industrial, and retail sectors.
Malicious actors were most active in spring and autumn
Ransomlooker helped to spot a worrying trend last year: the proliferation of new ransomware gangs. According to the team, the number of active ransomware gangs almost reached 89, a significant hike from 67 in the previous year.
“Among the tsunami of newcomers, 43 were newly formed or rebranded groups, highlighting the dynamic and decentralized nature of the ransomware ecosystem. Newbies alone accounted for more than one-third of all claimed victims in 2024, illustrating their aggressive start,” researchers said.
Apart from RansomHub, two other groups strongly entered the fray: KillSec and Funksec, with 136 and 91 victims, respectively. New and, unfortunately, successful entries point to the challenges of reducing ransomware activity – the barriers for entry remain low and the decentralized model of operation allows new groups to fill the void left by dismantled ones.
Another interesting trend the team noticed was the seasonal pattern of ransomware group activity. For example, spring and autumn were the most active periods for malicious actors, with nearly 1,600 victimized organizations in fall and another 1,500 in spring.
Top industries under attack: manufacturing, technology, and real estate
The top three sectors under siege closely mirrored trends we saw in 2023, with manufacturing and industry sectors bearing the brunt of attackers’ punches.
Ransomware gangs victimized over 300 sector companies, an unsurprising outcome given how sensitive manufacturing is to downtime, making them profitable targets for extortion.
With 150 victims, businesses in the technology sector were the second most targeted. Real estate ranked third, showcasing attackers’ love to aim for organizations with interconnected systems and valuable data.
“Healthcare services also remained a key target, raising concerns about the security of critical infrastructure. This is particularly alarming, as each year brings more reports emphasizing that ransomware attacks on healthcare institutions can lead to severe consequences, including the loss of patient lives,” the team said.
America’s onslaught
The United States holds the unfortunate crown as the most targeted country in the world. Ransomlooker data shows that over 1,700 organizations were victimized in the States, far surpassing others.
For example, the second and third-place holders, Canada and the UK, had more than ten times fewer victims.
India, the fourth-place holder, should take note of that. The world’s largest democracy was absent from the top targeted country list from 2021 through 2023 but emerged as the hottest target in 2024.
Other countries such as Italy, Germany, France, and Spain also experienced steady ransomware activity, illustrating how attackers focus on nations with strong economies and extensive digital reliance.
