Ransomware prevention and anti-data exfiltration (ADX) firm BlackFog disclosed Wednesday that ransomware attacks reached record levels throughout 2024. New groups, new variants, and the volume in which they appeared during the year highlight why ransomware is one of the most pressing cybersecurity challenges for organizations worldwide.
In its report titled ‘2024 State of Ransomware Report,’ BlackFog detailed that 2024 was a pivotal year for ransomware, documenting 789 disclosed attacks and 5,159 undisclosed ones, marking year-over-year increases of 25 percent and 26 percent, respectively. The year kicked off with a record-breaking January, witnessing 76 attacks, a staggering 130 percent increase compared to January 2023. This upward trajectory persisted throughout the year, with seven months experiencing notable surges in disclosed attacks compared to the previous year.
“The report shows 2024 was a landmark year with organizations facing growing financial and reputational damage from ransomware attacks, with high-value sectors particularly pressured to pay ransoms to restore operations,” Darren Williams, founder and CEO of BlackFog, said in a media statement. “As cybercriminals continuously refine their techniques to exploit vulnerabilities and launch large-scale attacks, defending against ransomware is becoming increasingly complex. Governments are stepping up efforts to counter this growing threat, introducing new measures such as mandatory ransomware incident reporting.”
However, Williams added that the global ransomware crisis continues to escalate at an alarming rate. In this evolving threat landscape, proactive and preventative strategies to mitigate ransomware and data exfiltration have never been more crucial.
LockBit and RansomHub dominated variants, while newcomers made an impact. LockBit, one of the most prominent ransomware gangs in recent years, remained the most active ransomware variant through 2024 affecting 603 victims. May was the busiest month, with nearly 200 attacks launched, accounting for 36 percent of attacks that month. This surge followed news of the gang’s disbandment after its leader was unmasked earlier in the year. LockBit’s attacks spanned several industries, though healthcare, education, and manufacturing appeared to be frequent targets in reported incidents.
RansomHub, a newcomer to the ransomware scene in February 2024, was in second place, affecting 586 victims, including high-profile attacks on government entities and 78 victims in the global manufacturing sector. Although these industries have been heavily targeted, this group poses a significant threat to organizations across the spectrum, with victims ranging from SMEs to large global corporations. While many of its attacks remain undisclosed, the group’s influence in its debut year has been widely recognized within the cybersecurity community.
RansomHub made headlines with high-profile attacks on government entities such as the Jędrzejów District in Poland, the Government of Mexico, and several municipalities across the U.S., reinforcing its reputation as a serious threat to critical infrastructure.
The group also made its mark in the global manufacturing sector, claiming 78 victims including major players like Kawasaki Motors and Polaris. Although these industries have been heavily targeted, RansomHub can’t be pigeonholed when it comes to targeting specific sectors or company sizes. Its victims range from SMEs to large global corporations, this newcomer poses a significant threat to all organizations.
In third place, the leading players varied by category. For disclosed incidents, the financially motivated group Medusa accounted for 5 percent, with ransom demands by the group exceeding $40 million. Medusa’s dark web posts provided a bit of insight into this ransomware group with ransom demands appearing on the majority of claims. In 2024, ransom demands by the group exceeded $40 million, with over 26 percent of their disclosed attacks demanding a ransom of over $1 million.
This financially motivated gang made headlines during the year targeting organizations such as Summit Pathology, an incident that impacted over 1.8 million individuals, Henry County which suffered wide-ranging disruption to crucial services, and the Kansas City Area Transportation Authority which rendered its call centers across the state unavailable.
Play ransomware attacks made up 7 percent of undisclosed incidents with a total of 342. Although most of their attacks were only seen by those on the dark web, Play contributed significantly to the ransomware tally in 2024. It made up 7 percent of undisclosed attacks with a total of 342, many countries and industries felt the brunt of their escapades.
Manufacturing seemed to be a key target for the group, but they also targeted several lesser favored industries such as food and drink and arts and entertainment. Donut lovers crumbled when Krispy Kreme fell victim to Play, and many event spaces across the US had their networks infiltrated by the group.
BlackFog reported a huge increase in new variants compared with 2023, further evidence that organizations must remain vigilant and continue to adapt their cybersecurity measures. Across the year, 48 new groups emerged a huge 65 percent increase from the number of new variants from the previous year. A significant number of these – 44 new variants – were responsible for nearly a third, 32 percent, of all undisclosed attacks in 2024. In November and December, gangs that debuted in 2024 accounted for more than 50 percent of the attacks in each month.
When it comes to targeted industries, a stark contrast emerged between publicly disclosed attacks and those that remained under the radar. Healthcare, government, and education were among the top targets in the headlines, while manufacturing, services, and technology sectors bore the brunt of the attacks that flew under the radar.
BlackFog highlighted several new variants, including Funksec, which emerged in December and ended the year with 60 attacks, suggesting it may gain more prominence by 2025. Kill began its activities slowly in March but significantly increased its operations in the third quarter, reaching a total of 134 attacks. Meanwhile, El Dorado and APT73, who claimed their first victims this year, have rebranded themselves as Blacklock and Bashe, respectively. This indicates that despite being newcomers, these groups are adaptable and continuously seek new methods to target and extort companies. Also, top Israeli organizations and personnel were targeted by Handala, who went on a rampage of politically motivated attacks this year.
These new variants and the volume in which they have appeared during the year provide insight into the ransomware landscape. With the developments in Ransomware-as-a-Service (RaaS) and AI (artificial intelligence), fewer cybercrime groups are building custom tools, instead using these readily available options to facilitate a cyberattack more quickly and easily.
Covering undisclosed attacks, the favored industries were very different. Manufacturing, services, and technology were named the top three, with 17.6 percent, 12.2 percent, and 9.7 percent respectively. With these figures contrasting those of the attacks that are publicly disclosed, BlackFog raises the question, as to why are these industries not disclosing attacks as frequently or consistently as others.
“Our research into undisclosed attacks also revealed that the legal sector was substantially impacted this year and that logistics companies also felt the brunt of ransomware attacks,” the report added. “The reasons behind targeting these industries are clear; the legal sector has extremely sensitive data worth exfiltrating, whereas attacking a logistics company will cause significant distribution to operations.”
Organizations in the U.S. faced the largest number of attacks, totaling 3,116 throughout the year. All verticals recorded faced attacks in the country, with manufacturing suffering from 28 percent of the incidents. Evident by the number of attacks targeting companies in smaller countries in recent years. In 2024, BlackFog recorded attacks in Congo, Fiji, Ghana, Costa Rica, Barbados, and the Philippines to mention a few, none of these being considered as typically targeted countries.
The report highlighted that attacks in smaller countries, which often lack the financial resources and infrastructure for robust defense, can lead to more severe consequences than in nations with stricter cybersecurity regulations and guidelines.
BlackFog noted that in 2024, the world faced an alarming rise in cyberattacks on critical infrastructure, revealing significant vulnerabilities across various sectors. From the U.S. to Europe and beyond, cyber criminals and state-sponsored actors launched sophisticated attacks on essential services like water, energy, healthcare, and transportation. As the frequency and severity of these attacks continue to rise, nations must bolster their defenses and protect their critical infrastructure from future cyber threats.
Additionally, ransomware attacks continue to evolve, with criminals shifting from traditional encryption-only methods to a mix of different tactics. Extortion has become a widely used method by cybercriminals, who use data to blackmail organizations into paying ransom demands. However, one of the most significant cybersecurity trends is the persistent rise in data exfiltration.
In 2025, Williams predicts significant challenges as threat actors increasingly leverage AI, enhancing their efficiency and success rates. The trend of ‘gang-hopping’ among cybercriminals complicates attribution and containment, as attackers prioritize financial gain over group loyalty. Evolving tactics will include advanced AI-driven phishing attacks and deepfake technology, posing risks to personal and corporate brands.
To combat modern ransomware, which has seen a surge in successful attacks, organizations must adopt AI-based solutions, as these have been shown to reduce the financial impact of data breaches by approximately $1.88 million. Newer solutions based around AI and zero-day-based attacks have proved very effective against these new variants, which are often combinations of other variants cobbled together. By leveraging AI, vendors can target vulnerabilities that haven’t even been identified in real-time. The challenge is for these emerging vendors to break through the noise of a crowded cybersecurity market to get attention from organizations. Strong solutions do exist, and they are only getting better.
Additionally, high-profile healthcare provider attacks in 2024, from Change Healthcare in the U.S. to pathology services provider Synnovis in the U.K. highlighted significant data loss and impacts on patient wellbeing. The healthcare sector, seen as a ‘weak link’ due to legacy infrastructure and valuable data, remains a prime target for cybercriminals, who exploit patient privacy for ransom. As criminal gangs leverage patients’ privacy, safety, and health in ransom demands, providers across the healthcare sector need to protect their most vulnerable points to safeguard patients and staff.
As security stacks expand, leaders face the challenge of alert fatigue due to managing numerous disconnected tools. Many will shift towards unified security platforms to streamline threat detection and reduce duplication. Looking ahead, organizations will encounter various cybersecurity challenges, particularly from ransomware, as cybercriminals adopt AI-powered technologies to target specific entities. All organizations must prepare proactively, assuming they are targets, and implement effective policies and tools to protect their data and recover from attacks.
Williams emphasized that awareness training is essential for reducing the impact of ransomware, as humans frequently constitute the most vulnerable aspect of security. With phishing attacks becoming increasingly sophisticated through AI, training users to recognize these threats is essential for reducing human error. Regulatory frameworks like SOC 2 and ISO 27000 require regular training to promote a strong security culture within organizations.
Last September, the U.S. Department of Justice (DoJ) through its Office of the Inspector General (OIG) published a report assessing the DOJ’s strategy to combat ransomware threats, including its coordination and response to ransomware attacks. Focused on the Department’s general approach to tackling ransomware attacks and not its activities for combatting attacks on the Department itself, the document found that the Federal Bureau of Investigation (FBI) and the DOJ Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) have led the DOJ’s response and prioritized their efforts to maximize ransomware attack prevention.
