Summary: Several recently released cyber industry reports show steady or growing ransomware numbers in 2024 so far, and impacts on business and government have never been greater.

Ransomware Remains a ‘Brutal’ Threat in 2024

Source: Dan Lohrmann - 1970-01-01T00:00:00Z

0 UP DOWN

This first half of 2024 has been another record year for ransomware attack costs with mounting impacts globally to customers, services and the bottom line. For example, consider these headlines:

The HIPAA JournalChange Healthcare Ransomware Attack Cost Predicted to Rise to at Least $2.3B in 2024: “UnitedHealth Group (UHG) has provided an update on the cost of its response to the February 2024 ransomware attack on Change Healthcare. The total cost of the response is now predicted to be between $2.3 billion and $2.45 billion this year, more than $1 billion more than previously reported. UHG has already paid almost $2 billion dealing with the response to the ransomware attack, which caused massive disruption to providers across the country due to prolonged outages.”

SpiceworksCDK Global Outage Ended After Reportedly Paying $25 Million Ransom: “The cyberattack started on June 19, 2024, with a breach of CDK Global’s systems. This resulted in software outages that paralyzed automobile dealerships nationwide. CDK Global scrambled to restore its systems following the attack, which took around two weeks.


“Consequently, auto dealerships were forced to work with manual alternative processes, which resulted in major delays in sales and services, accounting for significant financial losses. According to research by the Anderson Economic Group, auto dealerships faced over a billion dollars in losses throughout the outage.”

Government Technology Ransomware Attack Hits Florida Department of Health: “A cyber attack on the Florida Department of Health has reportedly disrupted the state’s ability to issue death and birth certificates, and it might also put sensitive patient data at risk. In a post on the dark web, ransomware group RansomHub claimed to have stolen 100 gigabytes of data, which it threatened to publish by Friday if not paid, the Tampa Bay Times reported. But Florida law prohibits state and local governments from paying ransomware extortion, and not all cyber criminals keep their promises when paid.”

HOT-OFF-THE-PRESS RANSOMWARE REPORTS

Sophos recently issued their annual report: The State of Ransomware in Critical Infrastructure 2024. It contains findings from an independent, vendor-agnostic survey of 5,000 leaders responsible for IT/cybersecurity across 14 countries, conducted in January and February 2024.

Here is their methodology and key findings:

  • Included 275 respondents from energy, oil and gas, and utilities organizations — which fall under the Energy and Water sectors of CISA’s 16 defined critical infrastructure sectors. 
  • Recovery costs for energy and water utilities have quadrupled to $3 million in one year.
  • 49 percent of ransomware attacks against these two critical infrastructure sectors started with an exploited vulnerability.
  • 67 percent of the organizations in these sectors reported being hit by ransomware in 2024.
  • Only 20 percent of organizations hit by ransomware were able to recover within a week or less in 2024, compared to 41 percent in 2023 and 50 percent in 2022 (energy and water face longer recovery times).

I also found this excerpt to be very interesting: “86 energy, oil/gas and utilities respondents whose organizations paid the ransom shared the actual sum paid.

  • Median payment: $2,540,000
  • Mean payment: $3,225,093

“Ransom payments vary considerably by industry. IT, technology and telecoms reported the lowest median ransom payment ($300,000), followed by distribution and transport ($440,000). At the other end of the scale, both lower education and central/federal government paid median ransoms of $6.6M.”

Meanwhile, BlackFog released their monthly ransomware report for June, with these highlights:

“In June we saw an easing of the overall threat numbers for the year with 45 total attacks. Historically still very high, it represents the second highest June on record. It demonstrates just how normalized these attacks have become. Despite the lower number of attacks for the month, the ratio of unreported attacks remains high at 774%, reflecting the sheer volume of attacks that still go unreported.

“Healthcare takes center stage this month with and increase of 25% from May, followed by government and technology with increases of 23% and 21% respectively. Unlike most months the education sector took a well earned break from the record books with only an 8% increase.

“In terms of variants, Play was the biggest mover this month with a 33% increase in attacks followed by Black Basta and Medusa with 14% and 13% respectively. This follows the large increase in unreported attacks from Medusa last month, typically a leading indicator of disclosed attacks in subsequent months. While Lockbit is still the leading variant by a significant margin, we only saw a modest gain of 3% this month.

“Finally, data exfiltration is now involved in 93% of all attacks with PowerShell the leading vector at 62%, an 11% gain from the previous month. China and Russia also continue to dominate as the leading destinations for exfiltrated data with 15% and 6% respectively.”

One more report to share. ReliaQuest issued this blog on Q2 2024 ransomware insights. Here are some highlights:

  • “In Q2 2024, ReliaQuest identified 1,237 organizations on ransomware data-leak sites, up 20% from Q1 2024. This quarter’s ransomware activity has been marked by month-on-month fluctuation. 43% of organizations named on data-leak sites were announced in May, followed by exceptionally low numbers in June. These figures mark a departure from previous growth rates and suggest that major disruptions to the ransomware-as-a-service ecosystem are affecting their numbers.
  • “Following a law enforcement operation targeting LockBit in February 2024 and the dissolution of ALPHV, newer groups like RansomHub, BlackSuit, and BlackBasta have attracted new affiliates and increased their activity. ReliaQuest expects a steady increase in ransomware activity from newer groups in the second half of 2024 as affiliates adjust to new operators.
  • “During Q2 2024, LockBit attempted to recover from a major law enforcement operation. Announcing 179 affected organizations in May alone, the group likely tried to regain notoriety and disprove law enforcement’s statements regarding the group’s takedown. We expect LockBit activity to significantly reduce in coming months as the group struggles to maintain trust among affiliates.
  • “The US and the manufacturing and professional, scientific, and technical services (PSTS) sectors remain the primary targets of ransomware groups. The increase in PSTS organizations targeted reflects increased targeting of technology companies in supply-chain attacks.
  • “In the coming quarter, we expect to see a steady increase in ransomware activity. However, the increased frequency of law enforcement operations targeting ransomware groups and the prevalence of free decryption keys may lead to an overall reduction in ransomware activity in the medium- to long-term.
  • “ReliaQuest predicts continued attacks resulting from supply-chain compromise and exposed credentials by ransomware groups in the coming quarter. It is crucial that organizations keep software up to date and implement digital risk protection (DRP) solutions to prevent initial access.”

Here’s a 2024 RSA Conference session on the ransomware threat landscape with sources:

In May, 2023, after a slower 2022 regarding ransomware, I wrote: “Are We Seeing Fewer Ransomware Attacks? Not Now!” Those trends seem to be continuing in 2024.

Also, as I travel the country and give presentations flowing from my book Cyber Mayday and the Day After, which contains true stories about ransomware through the eyes of C-Suite executives, the interest and even fascination with the topic continues to grow.

We need to keep going back to many of the same themes that I have written about in the past (that led to the book), because these cyber problems are continuing to accelerate, despite the best efforts of many. In some circumstances and fields, new staff are not familiar with the issues and solutions available.  

This article from Healthcare IT Today outlines suggestions for health-care organizations after the Ascension Healthcare ransomware attack.

I would also be remiss if I failed to mention the unprecedented global impact of the Crowdstrike software update issues, which are crippling businesses, airports and governments globally as I write this blog on Friday, July 19. While that situation is evolving rapidly, this incident is a reminder of the scale of what is at stake with technology — even if this was not a cyber attack. There will be many articles written on the topic, but regardless of your viewpoint, the world’s attention is once again directed at cybersecurity. (Even if, in this case, it is a cyber company trying to stop malware making a mistake.)

FINAL THOUGHTS

Wired magazine recently covered this ransomware topic, and their headline kind of says it all: “Ransomware Is ‘More Brutal’ Than Ever in 2024.”