Last Year in Ransomware: Overview, Developments and Vulnerabilities

The ransomware economy had a transformative year in 2024, marked by an unprecedented evolution in extortion threats. While the overall frequency of ransom payments decreased, threat actors demonstrated heightened sophistication in their targeting and execution methods, focusing on high-value organizations and critical infrastructure sectors.

This comprehensive analysis examines the key developments that shaped the ransomware ecosystem throughout 2024, from emerging attack vectors to novel malware variants. By understanding these trends and their implications, organizations can better prepare for this evolving threat.  

Our investigation reveals how threat actors have refined their tactics, combining technical innovation with strategic targeting to maximize their impact and financial returns. We begin this series with a comprehensive overview of the ransomware landscape, then delve into detailed technical analyses of emerging ransomware operations.

Ransomware attacks inflict substantial, long-term damage on organizations, extending far beyond initial financial impacts. Organizations suffer significant reputational harm, leading to customer attrition and heightened regulatory oversight.

2024 Ransomware Overview

In 2024, the ransomware landscape experienced a dramatic transformation. While fewer attacks occurred overall, they became notably more sophisticated, with ransom demands frequently surpassing $1 million for larger organizations. These targeted strikes severely disrupted essential services from healthcare systems to public safety infrastructure and global supply chains.

Threat actors evolved their approach, implementing a more sophisticated multi-pronged strategy. In 45% of cases, they combined ransomware with DDoS attacks, while 34% involved direct communication with stakeholders. This coordinated approach signals a more calculated and aggressive form of extortion.

In response, organizations need to implement more advanced defense strategies. While acknowledging that complete protection is unattainable, they should focus on building comprehensive resilience through prevention, rapid response capabilities, and stronger security cultures.  

Key Statistics from Last Year:

• Nearly 90% of organizations faced at least one ransomware incident

• Email phishing remained the primary attack vector  

• Average attack cost reached $1.85 million

• Active ransomware groups showed significant growth from 2023

• Ransomware payments decreased by 35%

• Over half of all victims experienced operational shutdown

• 40% of affected organizations reported major revenue losses from supply chain disruptions.

• System downtime emerged as the leading financial burden

• Ransom demands rose by $1M on average from 2023

Number of Attacks

Despite initial perceptions, ransomware incidents increased from 4,400 in 2023 to 4,634 in 2024, with over 3,700 documented in our database. However, analysis revealed a significant reporting discrepancy, with only 1,200 incidents independently confirmed worldwide.  

This gap between reported and confirmed cases stems from both false claims by attackers and underreporting by victims. Based on FBI data obtained during their 2021 Hive infiltration, approximately 80% of ransomware victims failed to report incidents to law enforcement.

Strategic Evolution  

The 2024 evolution in ransomware attacks reflects a calculated shift toward high-value targets. While overall frequency fluctuated, attacks reached unprecedented levels of sophistication and financial impact, particularly in critical infrastructure sectors. This shift in tactics suggests a maturing threat landscape where attackers prioritize quality over quantity, making defensive preparation more crucial than ever.

Attack Vectors & Techniques

Cybercriminals employed multiple vectors to breach organizational defenses, combining both traditional and advanced techniques to maximize their success rates. Phishing emails accounted for over half of all ransomware incidents. Software vulnerabilities played a significant role as attackers successfully exploited these weaknesses. Remote Desktop Protocol (RDP) exploits also remained a prevalent method for gaining unauthorized system access and deploying ransomware across enterprise networks.

Attackers also frequently used malicious websites and deceptive advertisements to trick users into downloading malware. Additionally, compromised credentials, typically obtained through phishing campaigns or brute force attacks, gave threat actors direct access to target systems.

The following breakdown details the primary attack methods and vectors that defined the year:

Phishing Campaigns

Phishing remained the most common entry point for ransomware, responsible for over half of all attacks in 2024. These campaigns often involve sophisticated emails that trick users into clicking malicious links or opening infected attachments, leading to ransomware.

Vulnerabilities Exploited in Ransomware Attacks in 2024

In 2024, ransomware tactics underwent a major shift as threat actors increasingly exploited zero-day vulnerabilities and unpatched systems. This evolution revealed a worrying trend: attackers developed more sophisticated approaches, precisely targeting critical infrastructure and enterprise systems.  

Organizations relying on file transfer tools, VPN systems, and industrial control infrastructure were hit especially hard, creating a complex web of security challenges.

Major Trends:

Zero-Day Vulnerabilities

• Exploitation of zero-day vulnerabilities became a "new normal" in 2024, with many ransomware groups targeting unpatched systems before vendors could release fixes.

• High-profile zero-day exploits included vulnerabilities in critical infrastructure software, such as file transfer platforms (e.g., MOVEit Transfer, GoAnywhere MFT), and enterprise firewalls like Palo Alto Networks.

Unpatched Systems

• 32% of ransomware attacks in 2024 started with the exploitation of unpatched vulnerabilities, underscoring the importance of timely patch management.

Critical Infrastructure Attacks

• Vulnerabilities in widely used file transfer tools (e.g., Cleo Harmony, VLTrader) and VPN equipment (e.g., Fortinet) were heavily targeted by ransomware groups like Cl0p and others.

• Industrial sectors saw an uptick in attacks exploiting VPN and remote access vulnerabilities, particularly targeting North America and Europe.

Ransomware groups actively exploited several critical vulnerabilities across the cybersecurity landscape. The discovery of CVE-2024-4577, a PHP vulnerability, proved particularly concerning as it allowed TellYouThePass ransomware operators to bypass authentication and execute malicious code. This vulnerability highlighted the growing sophistication of ransomware attacks through its use of command-and-control infrastructure and targeted cryptocurrency demands.  

The Cl0p ransomware group emerged in 2019 and became a leading threat in 2024, demonstrating the evolution of ransomware-as-a-service (RaaS) platforms. With its sophisticated anti-analysis capabilities and strategic approach, Cl0p exemplified the increasing complexity of modern ransomware operations. The group demonstrated remarkable adaptability, alternating between data extortion and traditional ransomware encryption tactics.  

The Cl0p group first demonstrated its capabilities by exploiting a SQL injection vulnerability in MOVEit Transfer (May 2023), focusing on data theft rather than encryption. Their impact grew significantly, accounting for 21% of all ransomware incidents by July 2023. The group further expanded their reach in Q4 2024 by targeting Cleo's software platforms through two critical zero-day vulnerabilities: CVE-2024-50623 and CVE-2024-55956.

Notable Vulnerabilities Exploited in 2024:

• MOVEit Transfer Vulnerability (CVE-2023-34362): Exploited by the Cl0p ransomware group to steal sensitive data from hundreds of organizations globally.

• FortiManager RCE (CVE-2024-47575): Targeted for remote code execution before public disclosure, leading to widespread compromises.

• Palo Alto Networks Zero-Days (CVE-2024-0012, CVE-2024-9474): Used in targeted campaigns against enterprise firewalls.

• SmartScreen Bypass (CVE-2024-21412): Exploited by advanced persistent threat (APT) groups like Water Hydra for financial and crypto-related attacks.

There have also been notable surges in vulnerability disclosures, with Common Vulnerabilities and Exposures (CVEs) increasing by roughly 30%. While thousands of new vulnerabilities have been identified, less than 1% have been actively weaponized by threat actors. These exploited vulnerabilities represent the most severe threats, as they are being systematically used in ransomware and malware campaigns.  

Major platforms like Microsoft Windows and enterprise network systems have faced numerous security challenges throughout the year. A concerning trend has emerged with threat actors increasingly weaponizing older vulnerabilities, with a roughly 10% rise in such attacks. Many of these vulnerabilities are actively traded on dark web markets, emphasizing the critical need for organizations to shift from reactive security measures to more proactive threat prevention strategies.

Ransomware Developments

As ransomware attacks evolved in 2024, two particularly sophisticated variants emerged that showcased the increasing technical prowess of cybercriminals. These variants, exemplified by Cloak and Qilin.B, represent a significant leap in ransomware capabilities, combining advanced encryption methods with sophisticated evasion techniques.  

Their emergence coincides with a strategic shift toward targeting high-value organizations, with ransom demands regularly exceeding $1 million. Let's examine these threats in detail: The technical capabilities of ransomware continued to advance in 2024, with notable developments in two existing variants.  

Both demonstrated significant improvements in their attack mechanisms, particularly in encryption methods and evasion techniques. These technical advancements enabled more targeted attacks against high-value organizations, with ransom demands consistently exceeding $1 million. Here's an analysis of their enhanced capabilities:

Qilin.B

Qilin.B, a new and advanced variant of the Qilin ransomware family, presented a significant threat to enterprise networks. It leverages a combination of robust encryption, sophisticated defense evasion tactics, and targeted disruption of backup systems to maximize its impact.

Key Features:

• Enhanced Encryption: Qilin.B utilizes both AES-256-CTR (for systems with AESNI capabilities) and Chacha20 encryption, further protected by RSA-4096 with OAEP padding. This makes decryption virtually impossible without the attacker's private key or captured seed values.

• Evasive Tactics: Qilin.B actively evades detection and analysis by terminating services associated with security tools, clearing Windows Event Logs to hinder forensic investigations, deleting itself to minimize traces of its presence, and being compiled in Rust, making reverse-engineering more challenging.

• Backup Disruption: Qilin.B disrupts critical recovery mechanisms by deleting volume shadow copies, making data restoration significantly more difficult.

• Targeted Tracking: Qilin.B uses a configurable company ID appended to encrypted files, allowing affiliates to track specific targets and potentially facilitate targeted attacks.

Cloak

The Cloak ransomware payload was one of the most technically sophisticated ransomware variants observed in 2024, employing advanced techniques across multiple stages of its attack chain.  

The malware's complexity is evident in its multi-stage deployment process, which begins with a sophisticated loader mechanism that delivers and executes the ransomware payload through virtual hard disk manipulation.

Key Features:

• Initial Access and Persistence: The malware utilizes a complex loader that contains multiple encrypted resources, demonstrating sophisticated persistence mechanisms through virtual hard disk mounting and UPX compression techniques.

• System Impact: Cloak aggressively terminates security processes and modifies system settings to prevent recovery efforts. It targets critical system utilities and applications, effectively disabling defensive measures while maintaining operational stability for encryption processes.

• Encryption Methodology: The ransomware implements a hybrid encryption approach, combining full encryption for smaller files with intermittent encryption for larger ones. This optimization balances speed with effectiveness, using the HC-128 stream cipher algorithm alongside Curve25519 for key generation.

• Data Handling: The malware's file enumeration process is thorough yet selective, scanning all accessible storage while intelligently excluding certain system-critical files. This approach maximizes damage potential while maintaining system stability for ransom payment.

• Extortion Tactics: Beyond encryption, Cloak incorporates sophisticated data exfiltration capabilities and maintains a professional Data Leak Site (DLS) for publishing stolen information, adding another layer of pressure on victims who refuse to pay.

The technical sophistication of Cloak represents a significant evolution in ransomware capabilities, combining advanced cryptographic implementations with efficient system manipulation techniques. This makes it a particularly dangerous threat, especially to organizations with valuable data assets.

Takeaway

In 2024, ransomware attacks became more targeted and sophisticated than ever before. While the overall frequency of attacks decreased, threat actors exhibited unprecedented sophistication in their operations, executing strategic campaigns against high-value organizations and critical infrastructure with remarkable precision.

As we move forward, the cybersecurity landscape presents a complex balance of challenges and opportunities. While innovative defensive technologies continue to emerge, the sophisticated weaponization of vulnerabilities demands heightened vigilance. The events of 2024 have demonstrated unequivocally that cybersecurity must be embedded within core business strategy to maintain organizational resilience.

The path ahead requires a balanced approach to cybersecurity. As defensive technologies evolve, our strategic response to emerging threats must evolve alongside them. The lessons of 2024 are undeniable proof that cybersecurity is not merely a technical consideration but a fundamental business imperative. This overview marks the beginning of our Last Year in Ransomware series. Stay tuned for our detailed analysis in the upcoming installments.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.