The ransomware industry surged in 2023 as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070. But 2024 is starting off showing a very different picture. While the numbers skyrocketed in Q4 2023 with 1309 cases, in Q1 2024, the ransomware industry was down to 1,048 cases. This is a 22% decrease in ransomware attacks compared to Q4 2023.
Figure 1: Victims per quarter |
There could be several reasons for this significant drop.
Reason 1: The Law Enforcement Intervention
Firstly, law enforcement has upped the ante in 2024 with actions against both LockBit and ALPHV.
The LockBit Arrests
In February, an international operation named "Operation Cronos" culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.
Law enforcement from multiple countries collaborated to take down LockBit's infrastructure. This included seizing their dark web domains and gaining access to their backend systems. Authorities seized cryptocurrency accounts and obtained decryption keys to help victims recover data. They also used Lockbit's own website to release internal data about the group itself.
Ukrainian cyber police disclosed that they had detained a "father and son" duo allegedly affiliated with LockBit, whose activities purportedly impacted individuals, businesses, governmental entities, and healthcare establishments in France.
During searches of the suspects' residences in Ternopil, Ukraine, law enforcement seized mobile phones and computer equipment suspected to have been utilized in cyberattacks.
In Poland, authorities arrested a 38-year-old individual in Warsaw, suspected of being associated with LockBit. He was brought before the prosecutor's office and charged with criminal offenses.
However, LockBit re-emerged within a week, highlighting the ongoing challenges of combating cybercrime.
They released a statement on Tox.
"ФБР уебали сервера через PHP, резервные сервера без PHP не тронуты"
"The FBI fu$%#d up servers using PHP, backup servers without PHP are not touched"
Shortly after the group continued its global onslaught against organizations, maintaining its position as a dominant force in the realm of ransomware operations. This resilience underscores the group's formidable power and capabilities, as well as the robust security measures surrounding its operations that ensures its continued viability and potentially promising future, as evidenced by quarterly trends over recent years.
The Impact of the ALPHV Takedown
In a major blow to the ransomware industry, the FBI announced on December 19th, 2023, that they had disrupted the ALPHV/BlackCat ransomware group. This takedown followed a five-day outage of the group's dark web infrastructure, which began on December 8th. The FBI seized control of one of ALPHV's main sites, replacing it with their signature banner. This action, along with the development of a decryption tool to aid victims, represents a significant win for law enforcement in the fight against ransomware.
In Q1 2024, ALPHV were behind 51 ransomware attacks, a significant drop from the 109 attacks in Q4 2023. Although the group is still active in 2024, the FBI takedown clearly had a significant impact.
Reason 2: The Decrease in Ransom Payments
The decrease in ransom payments could also be prompting ransomware groups to retire and seek alternative sources of income.
In the last quarter of 2023, the proportion of ransomware victims complying with ransom demands plummeted to a historic low of 29%, as per data from ransomware negotiation firm Coveware.
Coveware attributes this continuous decline to several factors, including enhanced preparedness among organizations, skepticism towards cybercriminals' assurances to not disclose pilfered data, and legal constraints in regions where ransom payments are prohibited.
Not only has there been a decrease in the number of ransomware victims making payments, but there has also been a notable decline in the monetary value of such payments.
Coveware notes that in Q4 2023, the average ransom payment amounted to $568,705, marking a 33% decrease from the preceding quarter, with the median ransom payment standing at $200,000.
New Groups Emerging BUT Not Yet Covering the Drop
Despite the drop in a number of attacks from Q4 2023 to Q1 2024 and despite the lower profitability, many new ransomware groups emerged in Q1. New groups include:
- RansomHub – identifying itself as a global team of hackers primarily motivated by financial gain.
- Trisec – who openly diverges from conventional ransomware groups by openly aligning itself with a nation-state.
- Slug – who claim responsibility for infiltrating and targeting AerCap
- Mydata- with a data leak site naming several prominent companies, including the Accolade Group, Gadot Biochemical industries, and more.
Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players in the industry, alongside veteran groups like LockBit 3.0, Cl0p, and BlackBasta.
Read Cyberint's 2023 Ransomware Report for more emerging groups, the top targeted industries and countries, a breakdown of the top 3 ransomware groups active in Q1 2024, notable 2024 trends & incidents and more.