2024 Saw Fewer Ransomware Payments, Significant Law Enforcement Successes

Zeljka Zorz reports in HelpNet Security that last year saw a surge in high-profile ransomware attacks, including the Snowflake data breach and the disruption of England’s National Health Service, that significantly impacted various sectors. However, global law enforcement agencies made significant strides in combating ransomware, which contributed to a noticeable decline in global ransomware payments.

Key law enforcement actions included dismantling LockBit’s infrastructure, exposing its leadership and affiliates, and charging a LockBit developer. NetWalker affiliates were sentenced, and the suspected head of Reveton was arrested.

According to Lizzie Cookson, Senior Director of Incident Response at Coveware, the ransomware landscape shifted after the collapse of LockBit and BlackCat/ALPHV. Currently, numerous newcomers focusing on small to mid-size organizations are leading to lower ransom demands.

Improved cybersecurity and better resilience among organizations further reduced the overall ransom amounts paid in 2024.

However, new threats emerged. RansomHub rose to prominence by absorbing former affiliates of LockBit and ALPHV/BlackCat, targeting numerous victims. Chainalysis observed faster ransomware operations, with negotiations beginning shortly after data exfiltration.

Cisco Talos reported longer attacker dwell times before ransomware deployment, indicating more sophisticated strategies for expanding access and identifying valuable data.

A troubling trend is that threat actors increasingly demand multiple payments to prevent DDoS attacks or to avoid directly contacting victims’ partners and clients.

Lawyers should advise calculating the risk/benefit of refusing to make ransomware payments versus the potential damage from attackers contacting clients and partners and data recovery costs. Firms should prioritize comprehensive incident response plans, client communication strategies, and legal preparedness to effectively navigate the evolving ransomware landscape.