The ransomware industry saw a surge in 2023, recording an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070. But 2024 begins showing a very different picture. While the numbers skyrocketed in Q4 2023 with 1,309 cases, in Q1 2024 the ransomware industry dropped to 1,048 cases. This is a 22% decrease in ransomware attacks compared to the fourth quarter of 2023.
 |
| Figure 1: Fatalities by quarter |
There could be several reasons for this significant decline.
Reason 1: The intervention of the police
First, law enforcement has upped the ante in 2024 with actions against LockBit and ALPHV.
LockBit crashes
In February, an international operation dubbed “Operation Cronos” culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.
Law enforcement agencies from multiple countries worked together to dismantle LockBit’s infrastructure. This included seizing their dark web domains and accessing their backend systems. Authorities have seized cryptocurrency accounts and obtained decryption keys to help victims recover data. They also used Lockbit’s website to release internal data about the group itself.
Ukraine’s cyber police have revealed that they have arrested a “father and son” duo allegedly affiliated with LockBit, whose activities have allegedly impacted individuals, businesses, government bodies and healthcare facilities in France.
During searches of the suspects’ residences in Ternopil, Ukraine, law enforcement seized mobile phones and computer equipment suspected of having been used in cyberattacks.
In Poland, authorities arrested a 38-year-old individual in Warsaw suspected of being associated with LockBit. He was brought before the prosecutor’s office and charged with criminal offences.
However, LockBit resurfaced within a week, highlighting the current challenges in fighting cybercrime.
They released a statement about Tox.
“The FBI messed up the servers using PHP, the backup servers without PHP were not touched”
“The FBI has upgraded servers using PHP, backup servers without PHP are untouched”
Shortly thereafter, the group continued its global attack on organizations, maintaining its position as a dominant force in the field of ransomware operations. This resilience underlines the group’s formidable power and capability, as well as the robust security measures surrounding its operations that ensure its continued viability and potentially promising future, as evidenced by quarterly trends in recent years.
The impact of ALPHV removal
Dealing a major blow to the ransomware industry, the FBI announced on December 19, 2023 that it had dismantled the ALPHV/BlackCat ransomware group. This takedown followed a five-day outage of the group’s dark web infrastructure, which began on December 8. The FBI has taken control of one of ALPHV’s main sites, replacing it with its own distinctive banner. This action, along with the development of a decryption tool to help victims, represents a significant victory for law enforcement in the fight against ransomware.
In the first quarter of 2024, ALPHV was behind 51 ransomware attacks, a significant decline from 109 attacks in the fourth quarter of 2023. While the group is still active in 2024, the FBI’s takedown has clearly had a significant impact.
Reason 2: Decreasing ransom payments
Decreasing ransom payments could also push ransomware gangs to retreat and look for alternative sources of income.
In the final quarter of 2023, the percentage of ransomware victims who satisfied ransom demands plummeted to an all-time low of 29%, according to data from ransomware trading firm Coveware.
Coveware attributes this continued decline to several factors, including increased organizational preparedness, skepticism about cybercriminals’ assurances not to disclose stolen data, and legal constraints in regions where ransom payments are prohibited.
Not only has there been a decrease in the number of ransomware victims making payments, but there has also been a notable drop in the monetary value of those payments.
Coveware notes that in the fourth quarter of 2023, the average ransom payment was $568,705, marking a 33% decrease from the previous quarter, with the average ransom payment being $200,000.
New groups emerging but not yet able to cover the decline
Despite the decline in the number of attacks from Q4 2023 to Q1 2024, and despite lower profitability, many new ransomware clusters emerged in Q1. The new groups include:
- RansomHub – identifying itself as a global team of hackers motivated primarily by financial gain.
- Trisec – which openly differentiates itself from conventional ransomware groups by openly aligning itself with a nation-state.
- Slug: Who claims responsibility for infiltrating and targeting AerCap
- Mydata: With a data leak site naming several notable companies, including Accolade Group, Gadot Biochemical Industries, and more.
Cyberint expects that many of these new groups will improve their capabilities and emerge as dominant players in the industry, alongside veteran groups such as LockBit 3.0, Cl0p and BlackBasta.
Read Cyberint’s 2023 Ransomware Report to learn about other emerging groups, the most affected industries and countries, an analysis of the top 3 active ransomware groups in Q1 2024, notable trends and incidents from 2024, and more.
Read the Report.