Halcyon Ransomware Malicious Quartile Q3-2024
Explore the latest reports by the experts at Halcyon
Executive Summary
In 2023, a staggering $1 billion in ransom payments was recorded, setting a rectord largely due to high-profile cyberattacks. Two of the most notable incidents involved Cl0p, a notorious ransomware group that exploited vulnerabilities in a file transfer tool, and BlackCat/ALPHV, which orchestrated a significant attack on Caesars Entertainment’s hotel properties. This surge in ransom payments highlights the escalating scale and severity of ransomware attacks targeting organizations across various sectors.
The situation has worsened significantly in 2024. By the end of the first half of the year, ransomware payments reached a staggering $459 million, according to a report by Chainalysis. This figure represents a $10 million increase over the same period in 2023, reflecting a concerning upward trend in ransomware-related extortion. The growing financial impact underscores the heightened capabilities of ransomware groups and the increased pressure on victims to pay.
One of the most alarming developments is the spike in ransom demands from some of the most dangerous ransomware groups. In early 2023, the median ransom payment stood at $198,939. However, by mid-2024, this figure skyrocketed to $1.5 million. This sharp increase suggests that ransomware operators have become more adept at infiltrating deeper into targeted networks and exfiltrating sensitive data. By leveraging this stolen information, cybercriminals exert greater pressure on organizations to comply with their demands, often threatening to release critical or damaging data if ransoms are not paid.
Blockchain analysts have also uncovered evidence of a record-breaking ransom payment, with one victim organization paying a colossal $75 million in response to a single attack. This aligns with research from other cybersecurity firms, which reported a median ransom payment of $2.2 million for 49 state and local governments in the first half of 2024. These figures illustrate the increasing financial stakes, especially for public sector entities that may be particularly vulnerable to cyberattacks.
In parallel with the rising costs, the frequency of ransomware attacks has increased by 10% in 2024 compared to the previous year. Despite the rising number of incidents and the growing ransom amounts, there is evidence to suggest that fewer victims are opting to pay. This could be due to a combination of factors, including improved recovery strategies, cybersecurity awareness, and reluctance to fund criminal enterprises. However, even with fewer payments, the overall impact remains severe.
The rise of ransomware as an industry poses an unprecedented threat. The combination of more sophisticated attackers, evolving ransomware variants, and escalating ransom payouts has created a dangerous environment for businesses and governments alike. The financial losses inflicted on organizations are staggering, and these costs are not isolated to the companies targeted—they will ultimately trickle down to consumers through increased costs for goods and services, as well as higher insurance premiums.
Moreover, the true financial toll of ransomware attacks may be significantly underreported. According to FBI estimates, based on intelligence gathered during their infiltration of the Hive ransomware group, only about 20% of ransomware attacks are actually reported to law enforcement. This suggests that the actual economic damage could be much higher—potentially closer to $5 billion when factoring in unreported incidents.
It is important to note that this $5 billion estimate only accounts for ransom payments. It does not include the additional costs of recovery, which can be immense. For instance, the Change Healthcare ransomware attack resulted in recovery costs exceeding $1 billion, underscoring the immense burden organizations face in the aftermath of such incidents. These costs go beyond immediate financial outlays and include longer-term consequences like brand damage, potential lawsuits, and regulatory fines—all of which can have lasting impacts on an organization’s reputation and financial stability.
Ransomware has evolved into a massive, highly organized industry, with devastating economic consequences. The financial burden affects businesses, governments, and consumers alike, creating a significant drag on the global economy. To curb the growth of this industry, it is essential to make ransomware operations less profitable for attackers. Unfortunately, this remains a distant goal, as cybercriminals continue to exploit weaknesses in cybersecurity defenses.
One of the key strategies employed by ransomware groups is the exploitation of unpatched vulnerabilities and misconfigurations within systems. Threat actors have become increasingly efficient in automating their attacks, allowing them to target a larger number of victims more quickly. The mass exploitation of vulnerabilities such as those found in MoveIT, GoAnywhere, and Citrix Bleed are stark reminders of how many of these attacks could be prevented if organizations prioritized timely patching.
To build resilience against ransomware, organizations must strategically invest in maintaining business continuity and ensuring rapid recovery from attacks. This involves not only securing networks but also developing robust contingency plans to minimize downtime and financial loss. Without these investments, companies will continue to fuel the ever-growing ransomware economy, which thrives on the vulnerabilities of underprepared organizations. In the absence of a comprehensive approach to combating ransomware, the economic toll will continue to rise, with no signs of slowing down.
While we cannot stop ransomware attacks, we can prevent them from being successful.
This is why the Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q3-2024, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.