- You're not fired, Slack is down - here's what we know so far
- Not all Echo devices will get Alexa Plus - see if yours made the list
- 99% of Organizations Report API-Related Security Issues
- Packaged offerings promise to make AI infrastructure deployment easier
- Everything announced at Amazon's Alexa event today: Alexa Plus, new Echo Show UI, and more
Data Theft Drove 94% of Cyberattacks in 2024
Data theft accounted for 94% of all cyber attacks worldwide in 2024, according to new research, as cybercriminals increasingly combine data exfiltration with encryption in ransomware campaigns.
Beyond encryption, ransomware attackers now threaten to leak or sell a company’s data on the dark web if victims refuse to pay. Stolen information often includes personally identifiable data and proprietary intellectual property.
The findings come from BlackFog’s 2024 Ransomware Trend Report, which analysed ransomware activity across hundreds of publicly disclosed and non-disclosed attacks on global organisations between January and December.
The report found the average amount of data stolen in an undisclosed exfiltration attack is 592 GB, and the number of disclosed and undisclosed cyber attacks increased by 25% and 26% year-over-year, respectively.
Dr. Darren Williams, founder and chief executive officer of BlackFog, said in a press release: “The report shows 2024 was a landmark year with organizations facing growing financial and reputational damage from ransomware attacks, with high-value sectors particularly pressured to pay ransoms to restore operations.”
According to IBM’s Cost of Data Breach report, the average cost of a ransomware attack involving data exfiltration in 2024 was $5.21 million.
“As cybercriminals continuously refine their techniques to exploit vulnerabilities and launch large-scale attacks, defending against ransomware is becoming increasingly complex,” Dr. Williams added. “Governments are stepping up efforts to counter this growing threat, introducing new measures such as mandatory ransomware incident reporting. However, the global ransomware crisis continues to escalate at an alarming rate.”
Ransomware attackers are increasingly drawn to legitimate enterprise tools
In September 2024, security researchers discovered a double-extortion ransomware variant targeting VMware ESXi servers, which both copied and encrypted the target’s data. Ransomware groups have also been exploiting legitimate file transfer technology to secure attacks.
SEE: Microsoft Says Ransomware Groups Are Exploiting the Newly-Patched VMware ESXi Flaw
BlackFog reported that PowerShell was used in 56% of ransomware cases in 2024, highlighting how attackers are increasingly “leveraging legitimate tools and platforms to infiltrate networks, establish a presence, and exfiltrate data without triggering alarms from many endpoint protection platforms.”
Top targeted industries face relentless pressure
The manufacturing, services, and technology sectors saw the highest number of undisclosed attacks, and are often-cited as highly targeted due to the critical nature of their uptime, high levels of digitisation, and large volumes of sensitive data.
For disclosed attacks, healthcare, government, and education were the most targeted, accounting for 47% of all ransomware-related news headlines in 2024. The biggest surge was seen in the retail sector where disclosed attacks spiked by 96% with high-profile victims including Starbucks, Sainsbury’s, Morrisons, London Drugs, and Krispy Kreme.
Ransomware groups: Old leaders persist, new players emerge
LockBit remained the most active ransomware group, attacking 603 reported victims. This was despite a major law enforcement takedown in February 2024, led by the U.K. National Crime Agency’s Cyber Division, the FBI, and other international partners. The operation temporarily disabled LockBit’s ransomware-as-a-service platform, but the group resumed operations days later on a new dark web domain.
Still, payments to LockBit decreased by 79% in the second half of the year, according to separate research from Chainalysis.
BlackFog’s report identified RansomHub as the second-most active ransomware group of 2024. A relative newcomer, it emerged in February 2024 and quickly gained notoriety with attacks on global manufacturer Kawasaki and oil and gas services company Halliburton.
Medusa and Play ranked third in disclosed and undisclosed incidents, respectively.
Surge in new ransomware groups fueled by AI
A Cyberint report from October found that Q2 2024 had the highest number of active ransomware groups on record, as smaller, newer groups entered the scene.
In January 2024, the U.K.’s National Cyber Security Centre warned that the threat of ransomware was expected to rise due to the new availability of AI technologies decreasing the barrier to entry, enabling even inexperienced criminals to conduct sophisticated attacks.
BlackFog’s research reinforced these findings, reporting that 48 new ransomware groups emerged in 2024, marking a 65% increase from the number of new variants from the previous year. More than half of all ransomware attacks in the last two months of 2024 were carried out by these newly formed groups.
