Power Rankings: Ransomware Malicious Quartile Q3-2024

In 2023, a staggering $1 billion in ransom payments was recorded, setting a record largely due to high-profile cyberattacks. Two of the most notable incidents involved Cl0p, a notorious ransomware group that exploited vulnerabilities in a file transfer tool, and BlackCat/ALPHV, which orchestrated a significant attack on Caesars Entertainment’s hotel properties.  

This surge in ransom payments highlights the escalating scale and severity of ransomware attacks targeting organizations across various sectors. The situation has worsened significantly in 2024.  

By the midpoint of the year, ransomware payments reached a staggering $459 million, according to a report by Chainalysis. This figure represents a $10 million increase over the same period in 2023, reflecting a concerning upward trend in ransomware-related extortion.

The growing financial impact underscores the heightened capabilities of ransomware groups and the increased pressure on victims to pay.

One of the most alarming developments is the spike in ransom demands from some of the most dangerous ransomware groups. In early 2023, the median ransom payment stood at $198,939. However, by mid-2024, this figure skyrocketed to $1.5 million.  

This sharp increase suggests that ransomware operators have become more adept at infiltrating deeper into targeted networks and exfiltrating sensitive data. By leveraging this stolen information, cybercriminals exert greater pressure on organizations to comply with their demands, often threatening to release critical or damaging data if ransoms are not paid.

Blockchain analysts have also uncovered evidence of a record-breaking ransom payment, with one victim organization paying a colossal $75 million in response to a single attack. This aligns with research from other cybersecurity firms, which reported a median ransom payment of $2.2 million for 49 state and local governments in the first half of 2024.  

These figures illustrate the increasing financial stakes, especially for public sector entities that may be particularly vulnerable to cyberattacks.

In parallel with the rising costs, the frequency of ransomware attacks has increased by 10% in 2024 compared to the previous year. Despite the rising number of incidents and the growing ransom amounts, there is evidence to suggest that fewer victims are opting to pay.  

This could be due to a combination of factors, including improved recovery strategies, cybersecurity awareness, and reluctance to fund criminal enterprises. However, even with fewer payments, the overall impact remains severe.

The rise of ransomware as an industry poses an unprecedented threat. The combination of more sophisticated attackers, evolving ransomware variants, and escalating ransom payouts has created a dangerous environment for businesses and governments alike.  

The financial losses inflicted on organizations are staggering, and these costs are not isolated to the companies targeted—they will ultimately trickle down to consumers through increased costs for goods and services, as well as higher insurance premiums.

Moreover, the true financial toll of ransomware attacks may be significantly underreported. According to FBI estimates, based on intelligence gathered during their infiltration of the Hive ransomware group, only about 20% of ransomware attacks are actually reported to law enforcement.  

This suggests that the actual economic damage could be much higher—potentially closer to $5 billion when factoring in unreported incidents.

It is important to note that this $5 billion estimate only accounts for ransom payments. It does not include the additional costs of recovery, which can be immense. For instance, the Change Healthcare ransomware attack resulted in recovery costs exceeding $1 billion, underscoring the immense burden organizations face in the aftermath of such incidents.  

These costs go beyond immediate financial outlays and include longer-term consequences like brand damage, potential lawsuits, and regulatory fines—all of which can have lasting impacts on an organization’s reputation and financial stability.

Ransomware has evolved into a massive, highly organized industry, with devastating economic consequences. The financial burden affects businesses, governments, and consumers alike, creating a significant drag on the global economy.  

To curb the growth of this industry, it is essential to make ransomware operations less profitable for attackers. Unfortunately, this remains a distant goal, as cybercriminals continue to exploit weaknesses in cybersecurity defenses.

One of the key strategies employed by ransomware groups is the exploitation of unpatched vulnerabilities and misconfigurations within systems. Threat actors have become increasingly efficient in automating their attacks, allowing them to target a larger number of victims more quickly.  

The mass exploitation of vulnerabilities such as those found in MoveIT, GoAnywhere, and Citrix Bleed are stark reminders of how many of these attacks could be prevented if organizations prioritized timely patching.

To build resilience against ransomware, organizations must strategically invest in maintaining business continuity and ensuring rapid recovery from attacks. This involves not only securing networks but also developing robust contingency plans to minimize downtime and financial loss.

Without these investments, companies will continue to fuel the ever-growing ransomware economy, which thrives on the vulnerabilities of underprepared organizations. In the absence of a comprehensive approach to combating ransomware, the economic toll will continue to rise, with no signs of slowing down.

While we cannot stop ransomware attacks, we can prevent them from being successful.

This is why the Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q3-2024, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.

Q3-2024 Trends

Some interesting trends emerged in the third quarter of 2024:

Crisis Deepens

• Clay County in Indiana Issues Disaster Declaration Following Ransomware Attack: Clay County, Indiana Emergency Management Agency officials issued a disaster declaration following a disruptive ransomware attack on county networks which has halted operations at the Clay County Courthouse and Clay County Probation/Community Corrections facilities.

• Ransomware Payouts: “Firmly on Track for the Worst Year on Record”: Over $459 million was exported in the first half of the year, marking a $10 million increase from the previous year, signaling a worsening trend.  

• Dark Angels Ransomware Gang Nets Record $75M Ransom Payment: The ransomware operation Dark Angels has reportedly set a new record by receiving a $75 million ransom payment from an unnamed Fortune 50 company.

Ransom Debate Continues

• CISA Director Says Ransom Payment Ban Unlikely: The Director of CISA said it is unlikely the U.S. government would issue a formal ban on ransom payments to ransomware operators despite the fact that such a ban would diminish the financial incentives for further attacks.

• Ransomware: Majority of Victims Who Paid Ransom Suffered Multiple Attacks: 74% of respondents who faced ransomware attacks in the last 12 months were hit multiple times, with some enduring multiple attacks in the span of a single week.

• They Paid the Ransom Demand but the Decryptor Doesn’t Work – Surprised?: For some victims of the Hazard ransomware, paying the ransom only made things worse. After paying to receive a decryptor, they found it did not work

Data Exfiltration Focus

• Over 2.7 Billion Records from National Public Data Exposed in Breach: The leaked data consists of two text files totaling 277GB, containing unencrypted records, though it is unclear if it covers every individual in the US.

• Medical Records for 791K Exposed in Ransomware Attack on Lurie Children’s Hospital: The Rhysida ransomware group, which took credit for the attack on Lurie Children’s, has claimed that the 600 Gb of data stolen from the hospital has been sold on the black market because the hospital refused to pay the ransom demand.

• RansomHub Publishes Exfiltrated Florida Health Department Data: Ransomware threat actors RansomHub have claimed to have published 100 gigabytes of exfiltrated data belonging to the Florida Department of Health asserting that the agency failed to pay a ransom demand following an attack.

• RansomHub Exfiltrated Sensitive Data from Planned Parenthood of Montana: Planned Parenthood of Montana announced it was the target of a cybersecurity attack in late August 2024

• Sensitive Data of One Million NHS Patients Exposed Online After Ransomware Attack: Analysis estimates that over 900,000 people may be affected by the attack, which involved data published by the Qilin ransomware gang in June.

• Hunters International Hits ICBC and Exfiltrates 6.6TB of Sensitive Data: The cyberattack was orchestrated by a group known as Hunters International, who claim to have stolen 5.2 million files, totaling 6.6 terabytes of sensitive data.

• Hunters International Ransomware Operators Threaten to Publish US Marshals Data: The Hunters International ransomware group is threatening to leak 386 GB of data from the U.S. Marshals Service (USMS), claiming it includes “Top Secret” documents, gang files, and information from the 2022 drug enforcement operation.

Legal and Regulatory Repercussions

• Lurie Children’s Hospital Named in Class Action Lawsuit Following Ransomware Attack: The lawsuit claims Lurie Children’s failed to implement reasonable and appropriate cybersecurity measures and did not comply with industry standards for cybersecurity.

• CDK Global Named in Multiple Lawsuits Following Ransomware Attack: The lawsuits allege CDK failed to adequately protect customer data, exposing tens of thousands of individuals' personal information, including Social Security numbers and financial details.

• Judge Dismisses Most of SEC Case Against SolarWinds and CISO: The SEC accused SolarWinds of downplaying its cybersecurity issues and the attack's severity while hiding customer warnings about malicious activity.

• NCPA, Providers in 22 States Sue Change Healthcare/Optum/UHG Over Ransomware Attack: The National Community Pharmacists Association (NCPA) and over three dozen healthcare providers from 22 U.S. states have filed a lawsuit against Change Healthcare, Optum, and UnitedHealth Group following a severe ransomware attack in February 2024.

• IT Services Provider in UK Fined Over NHS Ransomware Attack: The ICO provisionally found that the company had failed to protect the personal information of nearly 83,000 individuals, including sensitive data.

• Exposed Employee PII in Ransomware Attack Spurs Class Action Lawsuit for City of Columbus: The international ransomware group Rhysida claims responsibility for the attack, asserting that they stole 6.5 TB of data, including passwords, logins, and access to city cameras.  

• Enzo Biochem Fined $4.5M for Poor Security Following Ransomware Attack: The biotech company has been ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.

• Lehigh Valley Health Network to Pay $65M Judgement After Ransomware Attack: The class-action lawsuit, filed in March 2023, accused LVHN of failing to safeguard patient data.

Evolving TTPs

• North Korean Operations Highlight Espionage and Ransomware Attack Overlap: A North Korea-linked threat actor, APT45, known for its cyber espionage operations, has expanded into financially motivated attacks involving ransomware, distinguishing it from other North Korean hacking groups.  

• Play Ransomware Debuts Linux Variant that Targets VMware ESXi: The Play ransomware gang is the latest to develop a dedicated Linux locker for encrypting VMware ESXi virtual machines.

• Qilin Ransomware TTPs Include Harvesting VPN Credentials in Chrome: In a recent Qilin ransomware attack observed in July 2024, threat actors stole credentials stored in Google Chrome browsers on compromised endpoints.

• New Cicada Ransomware Variant Targets VMware ESXi: Analysis suggests that this new ransomware shares significant similarities with the ALPHV/BlackCat ransomware, indicating a potential rebranding or a fork by former ALPHV developers.

• CISA and FBI Alert on Iranian Ransomware Attacks Against US Infrastructure: These actors, known by various names including Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, have been targeting both U.S. and foreign organizations across multiple sectors.

• New RansomHub TTPs Include TDSSKiller and LaZagne for Disabling EDR: This new method, recently uncovered by researchers, involves combining two well-known tools: Kaspersky's TDSSKiller, a legitimate rootkit removal tool, and LaZagne, a credential-harvesting utility.

• Kransom Ransomware Attack Leverages DLL Side-Loading and Valid Certificates: This sophisticated malware leverages DLL side-loading techniques to deploy its payload, utilizing a legitimate digital certificate issued by COGNOSPHERE PTE. LTD., adding an extra layer of credibility to its malicious activities.

• Mallox Ransomware Operators Develop Linux Variant with Leaked Kryptina Code: An affiliate of the Mallox ransomware group, also known as TargetCompany, has been observed using a modified version of the Kryptina ransomware to target Linux systems.

Takeaway

Ransomware attacks have become one of the most devastating threats to modern businesses, often bringing operations to a complete standstill. When critical systems and sensitive data are seized, an organization can find its daily processes crippled.

The impact goes beyond the immediate disruption; lost revenue, missed opportunities, and long-term damage to the company’s reputation are just the beginning.

For many businesses, especially smaller ones, the downtime caused by ransomware can be catastrophic, forcing temporary or even permanent closures, with lasting repercussions that may be impossible to recover from. Larger corporations may have the resources and resiliency to endure such disruption. However, for small and medium-sized enterprises (SMEs), the consequences can be existential.

Unlike bigger companies, SMEs often lack the financial reserves or technical capability to spend weeks recovering their systems. A prolonged shutdown could spell the end of operations, as they struggle to absorb the cost of getting back online and repairing the damage.  

Ransom demands vary widely, ranging from thousands to tens of millions of dollars, depending on the size and sector of the targeted company. However, the ransom is only part of the financial impact. The costs associated with incident response—hiring specialized cybersecurity teams, consulting legal experts, and dealing with potential regulatory fines—can quickly escalate.  

Moreover, these figures do not encompass the full scope of the damage. Beyond the immediate financial hit, there are tangential costs that can be even more severe. These include long-term brand damage, eroded consumer trust, and increased cyber insurance premiums. Legal fees and ongoing litigation can further stretch an organization’s resources. Revenue lost due to system downtime can sometimes exceed the direct costs of remediation. Unlike tangible losses, these are difficult to predict or budget for, leaving many companies vulnerable to financial ruin.  

Ransomware attacks also pose significant risks in terms of intellectual property (IP) and regulated data. Once attackers gain access to a company’s systems, they do not merely lock files—they often steal the data, threatening to leak it publicly unless the ransom is paid. For many organizations, particularly those dealing with sensitive customer information, this kind of exposure brings regulatory implications. Failure to adequately protect customer data can lead to lawsuits, regulatory fines, and irreparable reputational damage.  

The theft of proprietary business data—such as patents, trade secrets, or confidential transaction information—can be just as damaging. Attackers frequently sell such information on dark web forums, where the highest bidder could gain access to a company’s most valuable assets.  

Data exfiltration—removing sensitive data from a company’s systems before encrypting them—has become a common tactic in ransomware attacks. This significantly increases the pressure on the victim to pay the ransom. Even if an organization is prepared to recover from the initial attack, the fact that sensitive data has been stolen puts them at ongoing legal and financial risk.  

Regulatory obligations to report data breaches vary by jurisdiction and industry, but failure to do so in a timely manner can result in hefty fines and legal consequences. In some cases, companies may face class action lawsuits, particularly when customer data has been compromised.  

Paying the ransom is far from a guaranteed solution. Cybersecurity experts widely advise against it, as it not only funds criminal enterprises but also does not guarantee the recovery of encrypted data. The bad news is that attackers may still choose to sell or expose stolen data even after receiving payment. As a result, organizations are left facing both immediate and long-term challenges, with no assurance of a positive outcome even if they comply with the attackers’ demands.  

Ransomware operators have also evolved their tactics to maximize the financial impact. Increasingly, attackers exploit opportunities to extract multiple payments from a single attack, targeting not just the initial victim but also their partners, vendors, and customers. Exfiltrated data can be leveraged to extort these third parties, widening the attack’s financial and reputational damage.

Organizations must prioritize both prevention and resilience. This includes implementing strong encryption protocols, access controls, and continuous employee training to minimize the likelihood of an attack. Yet, prevention alone is not enough—organizations must also be prepared to respond swiftly and effectively when an attack occurs.

The Halcyon Mission: Defeat Ransomware

Halcyon is the only cybersecurity company that eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies. Backed by an industry-leading warranty, the Halcyon Anti-Ransomware Platform drastically reduces downtime, enabling organizations to quickly and easily recover from attacks without paying ransoms or relying on backups. For more information on how Halcyon efficiently and effectively defeats ransomware attacks, contact an expert here or visit halcyon.ai to request a free consultation.