Cybernews analysts, utilizing the Ransomlooker tool, have identified alarming trends in cybercrime throughout 2024. Despite intensified law enforcement efforts, ransomware attacks continue to escalate. According to Ransomlooker’s data, the number of documented victims has surged to 5,300, marking a 26% increase compared to the previous year.
Once again, LockBit has emerged as the most active ransomware group, despite the significant setback inflicted by Operation Cronos. However, its dominance has waned, with the number of targeted companies plummeting by 50%. Given the overall increase in ransomware activity, this decline appears even more pronounced.
It is likely that LockBit will relinquish its position as the leading threat in the coming year. The strongest contender for the top spot is RansomHub, a newly established group that surfaced in 2024 and has rapidly gained momentum. Having successfully attacked approximately 500 organizations, RansomHub has demonstrated exceptional adaptability.
Remaining in third place for the second consecutive year is Play, which has primarily focused on targeting manufacturing, real estate, and technology sectors. Meanwhile, LockBit has largely attacked industrial enterprises, tech firms, and retail chains, whereas RansomHub has concentrated on the construction, manufacturing, and trade industries.
A significant concern is the rising number of active ransomware groups. In 2024, their total count rose to 89, compared to 67 in the previous year. Notably, 43 of these groups are either newly formed or rebranded entities, underscoring the fluidity and decentralization of the cybercriminal ecosystem. Emerging groups such as KillSec and Funksec have already inflicted damage on 136 and 91 companies, respectively—highlighting the low barrier to entry in this illicit trade.
Ransomlooker’s analysis also revealed seasonal patterns in ransomware operations. The busiest periods were spring and autumn, with attack rates peaking at 1,600 incidents per month. In contrast, summer saw a noticeable decline in attack volume, likely due to cybercriminals operating in regions where summer is traditionally vacation season.
The most frequently targeted sectors have remained largely unchanged:
- Industrial enterprises suffered the highest number of attacks, with over 300 companies compromised, largely due to their vulnerability to operational disruptions.
- The technology sector ranked second, with 150 companies attacked, reflecting its reliance on uninterrupted workflows.
- Real estate closed the top three, as the high value of data and the interconnected nature of systems make companies in this industry prime targets for extortionists.
Among the most notable ransomware victims of 2024 were corporate giants such as:
- Volkswagen Group (annual revenue: $356 billion)
- Oman Oil (annual revenue: $40 billion)
- Marfrig, a leading meat processing corporation (annual revenue: $27 billion)
The total estimated ransom demands across just ten of the largest victims could have reached $5.2 billion.
Beyond the corporate sector, government institutions have also come under fire. The successful breach of the District of Columbia’s administration underscores the severity of ransomware threats to critical public services and sensitive governmental data.
The United States remains the primary target, with over 1,700 organizations affected—ten times more than in Canada or the United Kingdom. However, a significant shift occurred in 2024 as India entered the list of most heavily impacted nations for the first time. Meanwhile, Italy, Germany, France, and Spain continued to experience high volumes of attacks, reaffirming the global scope of the ransomware crisis.
The relentless expansion of ransomware operations demonstrates that cybercrime is evolving at a faster pace than security measures can adapt. With each dismantled group, new actors swiftly emerge to fill the void, reinforcing the reality that combating ransomware is not a one-time effort, but an ongoing battle for survival.
