Last Year in Ransomware: CISA Advisories and Updated Security Recommendations

In the first installment of this series, we looked at the key developments across industries and the evolution of attack methodologies, then we covered major developments, targeted Industries, and the emergence of Linux variants and how the ransomware ecosystem evolved in 2024.  

In this fourth part of our series, we take a closer look at the relentless rise in ransom demands, the industries hit hardest, and the broader consequences for institutions and individuals alike. We also take a look at the vulnerabilities that ransomware groups exploited during this period, as well as the advisories that were issued.  

Ransomware Impact

In terms of financial impact during early 2024 we witnessed a record-breaking ransom payment of $75 million paid to the notorious Dark Angels group. This staggering sum was nearly double the highest payment recorded in 2023, signaling a worrying trend of escalating demands. Meanwhile, the median ransom payment skyrocketed to $1.5 million.

The broader financial impact of these attacks is even more concerning. Beyond the ransom itself, organizations face an average recovery cost of $2.73 million per incident due to downtime, lost productivity, and the often-overlooked expense of reputational damage.

The manufacturing sector and critical infrastructure providers have borne the brunt of these attacks, with no industry spared. Cryptocurrency exchanges have seen a doubling of stolen funds, with losses reaching $1.58 billion by mid-year.

Healthcare organizations are facing an unprecedented crisis as ransomware attacks continue to wreak havoc across the industry. Based on 2024's documented incidents, healthcare-related attacks have inflicted devastating financial exceeding $3 billion, with individual ransom demands exceeding $20 million. Organizations now face an average cost of $10 million per incident, which is double that of previous years.

These attacks are especially concerning because of their impact on patient care. Ransomware hits at healthcare facilities create severe disruptions that threaten both data security and the delivery of essential medical services. Analysis of 2024 attacks show they have compromised the sensitive medical records of over a million patients while disrupting critical operations such as blood testing and transfusion capabilities, critical diagnostic services, emergency medical procedures, and patient appointment systems.

The legal implications of these attacks have evolved dramatically, with a surge in class action lawsuits affecting hundreds of thousands of individuals. This escalation has created several key challenges including class action lawsuits following data exposure, legal challenges over inadequate security measures, disputes regarding breach notification timing, and claims related to business disruption damages.

Modern ransomware attacks represent much more than operational disruptions. Today's sophisticated threat actors use a combination of data theft and advanced encryption techniques. This creates multiple risks for organizations, including regulatory penalties, legal issues, and permanent damage to their reputation.

Official Response

The rise in ransomware attacks has prompted governments and organizations worldwide to step up their defense strategies. In this section, we'll examine how officials are responding to this evolving threat through new policies, international partnerships, and enforcement actions. From disrupting criminal networks to strengthening cybersecurity frameworks, these efforts show both progress and persistent challenges in the fight against ransomware.

UN Security Council Briefing

In November 2024, Anne Neuberger, Deputy National Security Advisor of the United States, delivered remarks at a UN Security Council briefing on ransomware attacks against hospitals and other healthcare facilities and services. She highlighted the severity of the threat posed by ransomware attacks, particularly to healthcare systems, emphasizing their impact on lives and societal stability.

Neuberger outlined the alarming statistics surrounding ransomware attacks, noting a significant increase in incidents and ransom payments in recent years. She cited examples of attacks on critical infrastructure, including the Port of Nagoya in Japan and a pathology partnership in the UK, demonstrating the global reach of this threat.

She explained that the US is actively addressing this issue through multiple initiatives. The International Counter Ransomware Initiative aims to disrupt attacks, enhance security, and improve incident response capabilities. The U.S. government is also working to reduce ransomware payments, disrupt the flow of illicit funds, and build long-term cybersecurity capabilities in developing countries.  

She emphasized that more needs to be done, particularly in holding ransomware actors accountable. She called on all states to follow the Framework for Responsible State Behavior in Cyberspace, which prohibits knowingly allowing their territory to be used for malicious activities.

Neuberger concluded by issuing a call to action, urging countries experiencing ransomware attacks to inform the country of origin and request action in line with their UN commitments.

Proposals Against Ransomware (UK)

The UK Home Office launched a public consultation on three proposals aimed at combating ransomware attacks. These proposals are designed to make the UK a less attractive target for ransomware criminals and to disrupt their business model.

• Targeted Ban on Ransomware Payments: This proposal expands the existing ban on ransomware payments by government departments to include all public sector bodies and critical national infrastructure. The goal is to make essential services less appealing targets for ransomware attacks.

• Ransomware Payment Prevention Regime: Aiming to increase the National Crime Agency's (NCA) awareness of live ransomware attacks and criminal ransom demands. It would provide victims with advice and guidance before they decide how to respond and enable payments to known criminal groups and sanctioned entities to be blocked. This regime would support disruptive operations like Operation Cronos, which successfully disrupted the LockBit ransomware network in 2024.

• Mandatory Reporting Regime for Ransomware Incidents: Aiming to bring ransomware incidents out of the shadows by requiring mandatory reporting. This would allow UK law enforcement agencies to gather more intelligence on newly discovered ransomware threats and target their investigations on the most prolific and damaging organized ransomware groups.

While this initiative has received mixed reactions, one thing is certain: cybersecurity requires a coordinated, multi-stakeholder approach. The mandatory reporting regime, while controversial among some industry players, represents a crucial step toward building a comprehensive threat intelligence network.  

This initiative aligns with similar measures being implemented across the EU and US, reflecting a growing global consensus on the need for transparent incident reporting.

CISA Advisories Published in 2024

During 2024, CISA released six advisories focused on ransomware threat actors. These #StopRansomware advisories are cybersecurity alerts and guidance documents published by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with organizations like the FBI, NSA, and international allies.  

Notable among these, the ALPHV/Blackcat advisory became defunct shortly after its release, while the RansomHub advisory was issued in response to urgent and immediate threats.

• BlackCat/ALPHV: CISA Alert aa23-353a, 27 February 2024

• Phobos: CISA Alert aa24-060a, 29 February 2024

• Akira: CISA Alert aa24-109a, 18 April 2024

• BlackBasta: CISA Alert aa24-131a, 10 May 2024

• BlackSuit (aka Royal): CISA Alert aa23-061a, 7 August 2024

• RansomHub: CISA Alert aa24-242a, 29 August 2024

The advisories support CISA's broader #StopRansomware campaign, designed to strengthen organizations' abilities to detect, prevent, respond to, and recover from ransomware incidents.

Updated Security Recommendations

Vulnerabilities act as silent gateways for devastating ransomware attacks, providing attackers with entry points into critical systems. Understanding these weaknesses and implementing timely security measures is crucial.  

Throughout 2024, incidents have shown how threat actors methodically exploit vulnerabilities across various infrastructure components, including file transfer protocols and VPN systems.  

Critical Vulnerabilities in File Transfer and VPN Systems

In December 2024 a serious vulnerability in Cleo's file transfer software emerged as a significant threat to organizations worldwide. The company discovered that their managed file transfer solution contained a critical zero-day vulnerability that attackers were actively exploiting for data theft.  

This vulnerability enabled attackers to execute unauthorized commands through the default Autorun folder settings. Despite an initial patch release in October, attackers managed to find a way around these protections.  

The situation involved two distinct vulnerabilities. The first, CVE-2024-50623, allowed attackers to perform server-side template injection for unauthorized file operations. The second, CVE-2024-55956, permitted attackers to run unauthorized Bash or PowerShell commands. Cl0p ransomware leveraged both vulnerabilities to target major corporations and extract sensitive data.  

The attacks were attributed to the Termite ransomware group, which also claimed responsibility for compromising the SaaS provider Blue Yonder. Organizations running version 5.8.0.21, even with all patches applied, remained at risk. The attackers deployed Malichus, a sophisticated Java-based malware that gave them extensive control over compromised Windows systems.  

The impact proved substantial, with compromises identified across ten companies and signs of intrusion detected on more than 50 Cleo systems. These attacks primarily affected retail organizations throughout North America. The vulnerability was subsequently patched, and organizations were urged to install the update.  

SonicWall SSL VPN Vulnerability

SonicWall identified a critical security flaw in their SSL VPN systems. The vulnerability, tracked as CVE-2024-40766, affected multiple generations of SonicWall Firewalls. What initially appeared to be a management access issue expanded to impact the entire SSL VPN feature, potentially allowing unauthorized access and system failures.  

SonicWall provided detailed guidance for protecting affected systems. Their recommendations focused on restricting firewall management and SSL VPN access to trusted sources, implementing stronger password policies, and enabling additional authentication measures. While specific details about ongoing exploitation remained limited, these devices were particularly vulnerable due to their exposure to the internet for remote access purposes.  

Final Thoughts

Ransomware attacks now pose strategic threats to critical infrastructure and social stability, extending far beyond their financial impact. While governments and institutions worldwide are strengthening their defenses through initiatives like the International Counter Ransomware Initiative and the UK's proposed frameworks, significant obstacles remain.  

The path to meaningful change faces multiple challenges: geopolitical tensions, the intricacy of dismantling criminal networks, and the crucial need for cooperation between public and private sectors.  

Prevention alone will not protect organizations. A successful cybersecurity strategy requires quick incident response, thorough recovery planning and ongoing partnerships with law enforcement and industry experts.

Join us next week for the final installment of Last Year in Ransomware, where we'll examine emerging trends and insights for 2025, predict the evolution of the ransomware landscape, and provide actionable strategies to help organizations stay ahead of threats.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.