Ransomware remains one of the most persistent and damaging cybersecurity threats. In 2024, while total ransom payments dropped significantly, attackers adapted with more aggressive tactics, new ransomware groups, and an increase in overall attacks. This evolving landscape suggests that while organizations are improving their defenses, cybercriminals are finding new ways to exert pressure.
Ransomware Payments Decline, But Attacks Surge
According to Chainalysis, ransomware attackers extorted $813.55 million in 2024, a 35% decrease from 2023’s $1.25 billion. This decline results from stronger law enforcement interventions, improved cybersecurity defenses, and a growing trend of victims refusing to pay. However, despite the drop in payments, the number of ransomware attacks has continued to rise.
One reason for this paradox is that cybercriminals no longer rely solely on encryption to force victims to pay. Instead, data exfiltration and public extortion have become standard tactics. In 2024, 71% of ransomware incidents involved data theft before the ransomware was even deployed (Infosecurity Magazine). This means that even if an organization has reliable backups and refuses to pay, attackers can still threaten to leak sensitive data to coerce a ransom.
The Rise of New Ransomware Groups
2024 saw the emergence of 46 new ransomware groups, a significant jump from 27 in 2023 (The Hacker News). This fragmentation in the cybercriminal ecosystem has led to increased competition among gangs, pushing them to adopt faster and more aggressive tactics. Some groups now operate in a Ransomware-as-a-Service (RaaS) model, where they lease their tools to affiliates who carry out attacks, further expanding their reach.
Targeting Critical Sectors
While ransomware gangs continue to target organizations of all sizes, certain industries have been hit the hardest. In particular, the manufacturing, healthcare, education, and energy sectors have experienced the greatest increase in ransomware attacks. These industries are prime targets because of their reliance on continuous operations, any downtime can have severe consequences, making them more likely to pay a ransom (Zscaler).
In healthcare, for example, ransomware attacks can delay urgent medical procedures, putting lives at risk. In the energy sector, an attack on power grids or fuel supply chains can disrupt entire regions. These high-stakes scenarios make it clear why cybercriminals focus on these industries—they can demand higher ransoms with a greater likelihood of payment.
How Organizations Should Respond
With gangs evolving their tactics, organizations must prioritize proactive security measures to stay ahead. Here are key steps businesses should take:
- Enhance threat detection and response: Invest in real-time monitoring and automated threat detection tools.
- Secure the supply chain: Assess and strengthen third-party vendor security to prevent indirect breaches.
- Limit data exposure: Use strong encryption and access controls to ensure that even if data is stolen, it remains unreadable.
- Collaborate with law enforcement: Engage with cybersecurity agencies to stay informed about emerging threats and response strategies.
While the decline in ransomware payments is an encouraging sign, the increased aggression and adaptability of cybercriminals indicate that this battle is far from over. Attackers are finding new ways to pressure victims, whether through data leaks, reputation damage, or more targeted attacks on critical infrastructure.
The key takeaway? Ransomware thrives on fear and unpreparedness. Organizations must shift from a reactive mindset to a proactive security strategy; focusing on resilience, detection, and defense rather than paying ransoms.