The first quarter of 2024 broke records with 192 publicly disclosed ransomware attacks, an increase of 48% over 2023. The number of undisclosed attacks also reached new heights, with a 22% increase over the previous year.
The unreported to reported ratio began to stabilize throughout the first three months of the year, with the figure for Q1 sitting at 520%. Unfortunately, this figure indicated that over 5X as many attacks go unreported. With the SEC’s incident disclose rules now in effect, we had expected this figure to be substantially lower, making it an interesting statistic to monitor closely over the coming months.
Industry
Unsurprisingly, when it came to disclosed attacks, healthcare, government and education continued to be the favorite target verticals for cybercriminals. With government and healthcare topping the ranks with 30 attacks each, an increase of 33% and 40% respectively on 2023 figures. Education saw a 3% increase from the same period of last year, recording 27 attacks.
For undisclosed attacks, manufacturing, services and technology took the brunt of the incidents, with 20%, 12% and 9% respectively.
Variants
LockBit continued to dominate as the main ransomware variant for both disclosed and undisclosed attacks. LockBit attacks account for 16% of reported and 21% of unreported attacks so far in 2024.
BlackCat claimed only 9% of reported attacks, which can be attributed to the group’s “takedown” earlier this year. Medusa also appeared strong with 4% of public attacks. It’s also worth noting that in Q1 34% of all publicly disclosed attacks were unclaimed. Black Basta and 8Base made waves in undisclosed attacks, both accounting for 7% of the 1000 attacks recorded.
In the first three months of 2024 we have seen twelve new ransomware variants emerge, including Ransomhub who since February were responsible for 30 attacks across a range of different verticals. This worrying trend spells trouble for the ransomware landscape – with more gangs emerging, the number of attacks will inevitably increase. Keep an eye on new ransomware gangs with our ongoing blog.
Geography
The geography of both disclosed and undisclosed remained consistent, with victims from the USA suffering over 50% of attacks in both categories. Canada and European countries such as Germany, France and Italy were also among the regions who were hit badly by ransomware in Q1.
Data Exfiltration
We recorded an increase in the number of disclosed attacks involving data exfiltration, rising to 92%. This figure has continued to rise, albeit minimally, over the past 2 years, highlighting the move from traditional encryption-based ransomware to the use of data exfiltration for extortion purposes.
According to our undisclosed insights, the average amount of data exfiltrated during an attack is 589GB. The volume of data stolen in attacks ranged from 1.2GB to around 7TB. Threat actors responsible for these undisclosed attacks all claimed to have exfiltrated some volume of data but with these attacks being unverified, it is not known if these claims are true until the data has been leaked.
Summary
With record-breaking numbers of attacks being recorded each month, in both reported and unreported categories, it is clear that ransomware is not on the decline and remains a top threat for organizations globally.
Data exfiltration continues to rise, with 92% of attacks involving the theft of data which has significant consequences for victims, with some still experiencing the fall out months after the initial attack.
Cybercriminals are evolving and breaking through traditional defenses with sophisticated attacks. To prevent attacks and avoid being the next victim of ransomware and extortion, organizations must look to newer technologies such as anti data exfiltration (ADX) which has been designed to stop attacks in real-time, 24/7 without the need for human intervention.
At BlackFog, we have been recording ransomware data since 2020. We believe these figures help us to gain a better understanding of the ransomware landscape, highlighting trends and providing insights into how cybercriminals are evolving to break down cybersecurity defenses.
Share This Story, Choose Your Platform!
Related Posts
Infostealers Explained: The Hidden Gateway to Ransomware
Infostealers compromise credentials and open the door to ransomware. Learn what they are, how they work, and key steps to keep your business safe.
Data Poisoning Attacks: How Hackers Target AI-Driven Business Systems
Data poisoning corrupts the information resources that AI systems rely on. Learn how this growing threat works, why it matters and what steps your business can take to defend against it.
What is Cyber Resiliency and Why Does it Matter in 2025?
Discover why cyber resiliency is vital in 2025 as firms face complex threats. Learn how businesses can adapt, recover and protect trust.
The Interlock Ransomware Problem Security Teams Can’t Ignore
Interlock ransomware is disrupting healthcare, cities, and infrastructure in 2025 with fake update lures, data theft, and double extortion tactics.
Effective Data Security Management: Strategies and Best Practices
What must firms do to develop an effective data security management strategy? Here are some key best practices to follow.
What is Data Loss Prevention? | A Complete Guide to DLP Security
Learn everything you need to know about what data loss prevention is and how to implement it in this comprehensive guide.