Kaspersky experts have reported a significant rise in targeted ransomware activity with the number of active ransomware groups increasing by 35% between 2023 and 2024 – totalling 81 groups globally. Despite this surge, the number of infected victims dropped by 8% during the same period – with an estimated 4 300 victims worldwide.
According to Kaspersky research of data leak sites of targeted ransomware groups, the number of ransomware groups continued to rise for the second consecutive year, despite two major disruptions targeting LockBit and BlackCat in 2024 – indicating that such attacks remain highly lucrative for cybercriminals.
Targeted ransomware attacks, aimed at specific organisations for maximum disruption and payout, dominate the landscape and account for the majority of incidents in 2024. These attacks focus on high-value targets such as hospitals, financial institutions, and government agencies leveraging reconnaissance and zero-day exploits for precision.
General ransomware, which spreads indiscriminately via phishing or external devices, accounts for about one-third of all attacks – often affecting smaller businesses or individuals with weaker defences. The focus on targeted attacks reflects cybercriminals’ preference for larger ransoms, though general ransomware persists due to its low-effort, high-volume potential.
Targeted ransomware groups use techniques such as exploiting vulnerable Internet-exposed services, social engineering, and leveraging traded initial access on the dark web to infiltrate victims. There is also growing evidence that suggests increased collaboration among these groups, including the exchange of malware and hacking tools to achieve their objectives.
Maher Yamout, lead security researcher for the Middle East, Turkiye and Africa at Kaspersky, suggests some plans to protect institutions: “By identifying and securing your corporate network’s entry points and understanding the tactics used by ransomware groups, companies can better protect their digital assets against targeted ransomware attacks. Failing to address both aspects, significantly increases a company’s vulnerability.”
To help organisations strengthen their defenses, Kaspersky recommends the following:
- Employee education and cybersecurity training is necessary as human error is a common cause for cybersecurity breach and can serve as an initial point of access for ransomware attacks.
- Kaspersky Threat Intelligence is an essential tool which provides in-depth threat intelligence and real-time insights on the history, motivations, and operations of targeted ransomware groups. In addition, Kaspersky’s Digital Footprint Intelligence monitors external threats for companies’ assets in Surface, Deep, and dark web, strengthening defence against credential leaks.
- Keep all devices and systems updated to prevent attackers from exploiting known vulnerabilities.
- Set up offline backups that intruders cannot misuse, and make sure you can access it quickly in an emergency.
- Kaspersky’s multi-layered, next generation protection detects ransomware at both the delivery stage and execution stage of the attack. Kaspersky Next combines exploit prevention, behaviour-based detection, and a powerful remediation engine capable of rolling back malicious actions. It also features built-in self-defence mechanisms to prevent tampering or removal by attackers.