Is ransomware still the number one threat? Are there any recent studies or cyber incidents that prove this?
Unfortunately, yes, ransomware remains one of the biggest threats in the cybersecurity landscape in 2024. Although the number of attacks has decreased slightly, the cost and impact of these attacks has increased. For example, 59% of organizations fell victim to ransomware last year, with the average cost of recovery rising to $2.73 million, a significant increase from $1.82 million in 2023. Most strikingly, more than half of affected organizations are now paying the ransom to get their data back.
Is there another trend in ransomware towards organized cybercrime? Were there any groups that stood out?
There were a few groups that stood out in 2024, including LockBit, BlackBasta and Alphv.
LockBit remains one of the most active and dangerous groups, despite extensive law enforcement action, including the dismantling of their websites and the arrest of key members. Their Ransomware-as-a-Service (RaaS) platform enables even less tech-savvy criminals to carry out ransomware attacks, helping to spread them more widely. 2024 will also see the emergence of new ransomware groups such as Mogilevich and RansomHub, highlighting the professionalization and expansion of cybercrime.
Multi-extortion tactics, crypto-ransomware, locker ransomware and more - what types have been particularly popular this year?
In 2024, multi-extortion tactics have become increasingly common among cybercriminals. Attackers no longer limit their actions to simply encrypting data; they also threaten to release sensitive information unless a ransom is paid, a strategy known as double extortion. Crypto ransomware, which encrypts files and renders them unusable, remains the most common variant. In contrast, locker ransomware, which blocks access to the entire system, is less common as it is easier to detect and fix.
What do companies that are hit by ransomware tend to do? Do they pay the ransom, or do they tend not to respond to the perpetrators' demands?
Despite strong recommendations not to pay the ransom, studies show that the majority of affected companies continue to do so. In 2024, around 76% of victims paid the ransom demanded, indicating the ongoing financial pressure of cyber incidents. However, there is an emerging trend that more and more companies are not paying the ransom. The reasons are:
- Improved backup strategies that allow recovery without payment.
- Legal and ethical considerations, as payment encourages criminal activity.
- Support from government and cybersecurity experts to help manage the issue.
Despite strong recommendations not to pay the ransom, studies show that the majority of affected companies continue to do so.
If a company is successfully targeted by a ransomware attack, should it prioritize transparency by sharing details of the attack for the benefit of others, or is it more prudent to keep the incident confidential to protect its reputation?
In some situations, it may be mandatory to report an incident securely within the industry, for example the NIS2 regulation mandates that certain incidents must be disclosed. Additionally, if the targeted site believes that this could affect the wider sector there is an ethical responsibility to ensure details are shared securely within established communication channels to prevent a wider attack. The key takeaway from this is all around securely sharing information as to not damage the company reputation or provide further details to potential copycats, but to demonstrate responsibility for the situation and that matters are being taken seriously.
What are some of the most common mistake’s organizations still make when dealing with ransomware?
- Missing or inadequate backups: Failure to keep up-to-date or secure backups or leaving the backups upon the same system which is at risk of being targeted.
- Insufficient staff training: Employees do not recognize phishing emails.
- Outdated systems: Unpatched software provides an attack surface.
- No incident response plans: Lack of clarity on steps to take in the event of an attack.
- Paying the ransom: There's no guarantee that you'll get access to your data or computer, plus the attacker still has access to the stolen data and you're more likely to be targeted in the future.
What role does AI play in ransomware optimization?
Artificial intelligence (AI) is increasingly influencing both cyberattacks and defense strategies. Unfortunately, cybercriminals are leveraging AI to automate attacks, using it to identify vulnerabilities more quickly by scanning networks and systems or analyzing information at speeds far beyond human capability. AI also enhances adaptability in cyberattacks by enabling the creation of polymorphic malware – malware that evolves in real time to bypass security measures. Furthermore, while I’m sure we can attest that AI is not flawless, it helps attackers generate more convincing and personalized phishing emails, making them harder to detect. As a result, many common tell-tale signs of phishing are no longer as obvious, increasing the risk of successful cyberattacks. On the defensive side, AI is being used to detect anomalies more rapidly and proactively block threats.
Are there any new technologies, or are there any on the horizon, that can help defend against ransomware attacks more effectively?
Yes, several emerging technologies and innovations are enhancing defenses against ransomware attacks and are expected to play a critical role in the future. Behavioral detection systems, for example, analyze normal user behavior to detect anomalies that may indicate a ransomware attack in progress. Deception technologies, including honeypots and false data, are used to mislead attackers, slowing down their efforts while providing valuable insights into their tactics. Secure Access Service Edge (SASE) offers a cloud-based solution that combines network and security functions, providing secure, scalable access and reducing attack surfaces. Additionally, homomorphic encryption enables data to be processed in its encrypted form without decryption, reducing the risk of data exposure even if attackers breach the system. These technologies represent a proactive, multi-layered approach to combating ransomware more effectively.
Do you think ransomware will still be the main threat in 2025?
Yes, the trend shows that ransomware groups are becoming more professional and continue to refine their attacks, indicating that this threat is not going away any time soon. Another reason is the high profitability for criminals as more and more companies pay the ransom. In addition, ransomware-as-a-service (RaaS) continues to facilitate access to complex attack tools, enabling less tech-savvy criminals to carry out successful ransomware attacks. Finally, geopolitical tensions are playing an increasing role, with state-sponsored hacker groups also using ransomware as a tool to pursue strategic objectives.
Want to check our facts and figures? Here they are:
ENISA Threat Landscape 2024 - ENISA
The State of Ransomware 2024 - Sophos News
Most Popular Ransomware Groups to Watch (Updated 2025)- Recorded Future
Six ransomware gangs behind over 50% of 2024 attacks - The Register
Behavioral patterns of ransomware groups are changing - Help Net Security
Malwarebytes Releases “ThreatDown 2024 State of Ransomware”- Malwarebytes Press Center
The Ransomware Threat in 2024 is Growing: Report - SecurityWeek
Would you like to increase your ransomware resilience? We're happy to help you!
