2024 sees rampant ransomware escalation

Jan 15, 2025

Ransomware actors ran rampant in 2024 shattering previous records, cementing their place as the most pervasive cyber threat to businesses worldwide.

Check Point Software Technologies’ External Risk Management research team (formerly CyberInt) has announced the Ransomware Report 2024 which, combined with the Security Report 2025 from Check Point Research, have provided a comprehensive analyses and detailed exploration of ransomware’s evolution, its impact across industries, and strategies to combat this ever-escalating threat.

Key highlights from the reports include:

  • The Numbers Speak: Over 5 414 ransomware attacks were published worldwide in 2024 – as 11% increase from the previous year. The final quarter alone saw 1 827 incidents, the highest on record.
  • RansomHub Rises: Following law enforcement crackdowns on major players like LockBit, new groups such as RansomHub have emerged, exemplifying a shift to decentralized, professional ransomware operations.
  • Healthcare and Manufacturing Targeted: Sectors once deemed off-limits, such as healthcare, faced unprecedented attacks, with ransomware groups exploiting patient data for extortion. Meanwhile, manufacturing became a key target in Q4, accounting for 35% of annual incidents in the sector.
  • Evolving Tactics: Threat actors are moving away from traditional encryption methods, favoring data exfiltration-only attacks that bypass detection and complicate negotiations

 

Geographic Hotspots

The US remained the epicenter of ransomware activity, with 936 attacks in Q4 alone, accounting for 50% of global incidents in 2024. Other notable trends included:

  • A rise in attacks in India, reflecting its growing digital footprint and vulnerabilities.
  • Declines in Europe, particularly in Germany, France, and the UK, attributed to strengthened defenses and law enforcement cooperation.

 

Africa’s vulnerability

Although no African country is featured among the report’s top 10 list of most targeted countries by ransomware actors, the continent was definitely not spared.

During 2024, prominent organisations across Africa saw more than 100 successful ransomware attacks from some of the most prominent ransomware groups such as LockBit, Cl0p, Alphv, and Rhysida.

Their victims also spanned many sectors, including government, critical infrastructure, education, transportation, and healthcare, further highlighting the often opportunistic nature of these attacks.

The continent also faced triple extortion tactics. Holding organisational information at ransom through encryption, offering sensitive stolen information for sale on the internet, and even threatening individuals affected by information stolen through ransomware.

According to Hendrik de Bruin, SADC security consultant at Check Point Software, Africa can also expect an increase in Ransomware attacks, primarily fueled by the continent’s ongoing journey of digital transformation and cloud adoption leading to an expanded attack surface.

“The continent also struggles with a significant skills shortage further perpetuating the problem,” de Bruin adds.

Law enforcement agencies worldwide launched aggressive campaigns against major ransomware groups in 2024, achieving several high-profile victories. Notable among these was Operation Cronos, a coordinated international effort that struck a decisive blow against LockBit, one of the most notorious ransomware-as-a-service (RaaS) operators.

 

Operation Cronos and Its Impacts

In February 2024, Operation Cronos targeted LockBit’s infrastructure, leading to:

  • The seizure of 34 servers across multiple countries, including Germany, the Netherlands, and the United States.
  • The arrest of key operators in Poland and Ukraine.
  • The exposure of LockBit’s internal data, including decryption keys and affiliate networks, effectively dismantling trust within the group.

Similarly, ALPHV (BlackCat), another major player, faced significant disruptions following law enforcement operations. Despite attempts to reestablish itself, the group suffered from internal disputes and loss of affiliates. By the end of the year, both LockBit and ALPHV were shadows of their former selves, marking a decline in the dominance of legacy groups.

“Each year, the ransomware environment becomes progressively complicated. While law enforcement successfully dismantled larger Ransomware-as-a-Service (RaaS) groups, new groups emerged last year. Additionally, the shift from encryption-based extortion to data extortion brings new challenges. However, one thing remains consistent: the need to adapt and enhance data protection, monitoring, and rapid threat detection,” says Omer Dembinsky, data research group manager at Check Point Research.

 

The Rise of Fragmented and Decentralised Groups

The takedown of these large, centralised operators created a vacuum that was quickly filled by smaller, fragmented, and often more agile groups.

In 2024, 46 new ransomware groups emerged, raising the total number of active groups to 95, a 40% increase from the 68 groups active in 2023.

This proliferation reflects a decentralized ransomware ecosystem characterized by increased competition, innovation, and operational efficiency.

 

RansomHub: A Case Study in Fragmentation

Among the new entrants, RansomHub emerged as the dominant force, surpassing even LockBit in activity. Responsible for 531 attacks in 2024, RansomHub exemplifies the new wave of ransomware groups that operate with a high degree of professionalism and adaptability. Key characteristics of RansomHub include:

  • A Ransomware-as-a-Service (RaaS) model offering affiliates 90% of ransom payments while retaining 10% for core operators.
  • The use of leaked code to develop proprietary ransomware strains, reducing dependence on established RaaS platforms.
  • A decentralised operational model that makes it more resilient to law enforcement disruptions.

“The 2024 ransomware ecosystem highlights a dual trend: the fall of legacy groups like LockBit and the rise of professionalised new actors like RansomHub. The scale, sophistication, and volume of attacks underscore the importance of proactive intelligence and defense. Organizations can no longer afford a reactive approach,” says Adi Bleih, security researcher at Check Point External Risk Management (formerly Cyberint).

 

The Shift to Data Leak Extortion (DXF)

One of the most significant trends of 2024 was the shift from encryption-based ransomware attacks to data leak extortion (DXF). Traditionally, ransomware operators relied on encrypting victims’ data and demanding payment for decryption keys.

However, this approach has become less effective due to:

  • Organisations improving backup systems, reducing their reliance on decryption.
  • A drop in ransom payment rates for encryption-based attacks, which fell to 32% by Q3 2024 (down from 75% in 2019).

In contrast, DXF attacks, which involve stealing sensitive data and threatening to expose it unless a ransom is paid, maintained a steady resolution rate of 35%. DXF is less resource-intensive and offers multiple monetization avenues, such as selling stolen data to competitors or on dark web marketplaces.

 

Sectoral Impact

The business services sector remained the primary target, accounting for 451 attacks in 2024 (24,1% of all incidents). Other highly targeted sectors included:

  • Retail: Continues to suffer due to its vast customer databases and relatively weaker cyber security measures.
  • Manufacturing: Witnessed a sharp rise in Q4, with 201 attacks, as ransomware operators exploited the critical nature of supply chain operations.
  • Healthcare: Faced sustained targeting, with ransomware groups focusing on sensitive patient data and the sector’s low tolerance for operational downtime.

 

Key Recommendations for Organisations

As ransomware threats grow in complexity, organisations must adopt a proactive, multi-layered approach to cybersecurity. Essential measures include:

  1. Comprehensive Threat Detection: Deploy solutions that provide real-time visibility into network activity and emerging threats.
  2. Data Leak Prevention (DLP): Implement robust DLP strategies to identify and mitigate data exfiltration attempts.
  3. Regular Patching: Update systems to address vulnerabilities, particularly in Linux and VMware environments.
  4. Employee Training: Educate staff on recognising phishing and other attack vectors.
  5. Collaborative Defense: Work with industry peers and law enforcement to share intelligence and strengthen collective defenses.

“The success of emerging ransomware groups demonstrates the urgent need for organisations to step up their defenses. Relying solely on reactive measures is no longer viable. Proactive threat hunting, combined with advanced external risk management tools, is critical in 2025,” Bleih says.

 

Looking Ahead: Predictions for 2025

The ransomware landscape in 2025 is expected to evolve further, with several key trends on the horizon:

  • Increased Sophistication: Threat actors will integrate AI and exploit zero-day vulnerabilities to enhance attack efficacy.
  • Emerging Groups: The fragmentation of legacy groups will likely give rise to new, professionalised operators.
  • Focus on Critical Infrastructure: High-value industries such as energy, healthcare, and manufacturing will face heightened risks.

“As ransomware evolves, so must our defenses. The increasing complexity of these attacks calls for an integrated approach to cyber security—one that combines technology, intelligence, and collaboration across the global security community,” says Dembinsky.

 

Conclusion

The ransomware ecosystem in 2024 showcased an unparalleled ability to adapt and evolve, with the rise of new actors, the adoption of DXF tactics, and the fragmentation of legacy groups creating a more dynamic and competitive threat landscape. While law enforcement made significant strides in dismantling major players, the overall volume of attacks continued to rise, underscoring the resilience of ransomware operators.

“To combat this ever-evolving threat, organizations must prioritize proactive defense strategies, leveraging advanced technologies and fostering collaborative efforts across industries. By staying ahead of these threats, businesses can mitigate risks and safeguard their critical operations in an increasingly hostile cyber environment,” de Bruin concludes.