The decline in ransomware attacks in 2024 and what it means

The ransomware industry surged in 2023, with the number of global victims increasing by 55.5% to a staggering 5,070. But when 2024 begins, things will be very different. While the ransomware industry surged to 1,309 cases in the fourth quarter of 2023, by the first quarter of 2024, the ransomware industry had decreased to 1,048 cases. Ransomware attacks decreased by 22% compared to the fourth quarter of 2023.

Figure 1: Number of victims per quarter

There could be many reasons for this sharp decline.

Reason 1: Law enforcement intervention

First, law enforcement upped the ante in 2024, taking action against LockBit and ALPHV.

LockBit arrested

In February, an international operation dubbed “Operation Kronos” culminated in the arrest of at least three associates of the notorious LockBit ransomware group in Poland and Ukraine.

Law enforcement agencies from multiple countries collaborated to dismantle LockBit’s infrastructure. This includes seizing their dark web domains and gaining access to their backend systems. Authorities seized cryptocurrency accounts and obtained decryption keys to help victims recover their data. They also use Lockbit’s own website to publish internal data about the organization itself.

Ukrainian cyber police have revealed they have detained a “father and son” duo allegedly linked to LockBit, whose activities allegedly affected individuals, businesses, government entities and medical institutions in France.

During a search of the suspect’s home in Ternopil, Ukraine, law enforcement authorities seized cellphones and computer equipment suspected of being used in cyberattacks.

In Poland, authorities arrested a 38-year-old man in Warsaw on suspicion of links to LockBit. He was taken to the prosecutor’s office and charged with criminal offences.

However, LockBit’s re-emergence within a week highlights the ongoing challenges in fighting cybercrime.

They released a statement about Tox.

“FBI screwed up a server using PHP, but the backup server without PHP was not affected”

“FBI fu$%#d servers using PHP, backup servers without PHP are not affected”

Soon after, the group continued to launch attacks against organizations around the world, maintaining its dominance in ransomware operations. This resilience underlines the group’s strong strength and capabilities, as well as the strong security measures surrounding its operations, ensuring its continued viability and potentially bright future, as evidenced by quarterly trends in recent years.

Impact of ALPHV removal

The FBI announced on December 19, 2023 that they had disrupted the ALPHV/BlackCat ransomware group, dealing a major blow to the ransomware industry. The operation came five days after an outage of the group’s darknet infrastructure began on December 8. The FBI took control of one of ALPHV’s main sites and replaced it with their signature banner. This operation and the development of decryption tools to help victims represent a major victory for law enforcement in the fight against ransomware.

In the first quarter of 2024, ALPHV launched 51 ransomware attacks, a significant decrease from the 109 ransomware attacks in the fourth quarter of 2023. Although the group was still active in 2024, the FBI’s takedown apparently had a significant impact.

Reason 2: Reduced ransom payments

A decrease in ransom payments may also prompt ransomware groups to exit and seek other sources of revenue.

The proportion of ransomware victims who complied with ransom demands plummeted to a record low of 29% in the last quarter of 2023, according to ransomware negotiation firm Coveware.

Coveware attributes this continued decline to a variety of factors, including increased organizational preparedness, doubts about cybercriminals’ guarantees not to disclose stolen data, and legal restrictions in regions that ban ransom payments.

Not only has the number of payments from ransomware victims decreased, but the monetary value of such payments has also dropped significantly.

Coveware noted that in the fourth quarter of 2023, the average ransom amount was $568,705, down 33% from the previous quarter, and the median ransom amount was $200,000.

New groups are emerging but have yet to make up for the decline

Although the number of attacks declined from Q4 2023 to Q1 2024, and profitability was lower, many new ransomware groups emerged in the first quarter. New groups include:

• RansomHub – Positions itself as a global hacking team primarily driven by financial gain.
• Trisec – Distinct from traditional ransomware groups, openly aligned with nation-states.
• Slug – claimed responsibility for infiltrating and targeting AerCap
• Mydata – A data leakage website that lists the names of several well-known companies, including Accolade Group, Gadot Biochemical Industries, etc.

Cyberint expects that some of these newer organizations will enhance their capabilities and become dominant players in the industry along with established organizations such as LockBit 3.0, Cl0p and BlackBasta.

Read Cyberint’s 2023 Ransomware Report to learn more about emerging groups, top target industries and countries, details on the top 3 ransomware groups active in the first quarter of 2024, noteworthy trends and events in 2024, and more .

reading report.