2024 looks set to be another record-breaking year for ransomware — and it’s likely going to get worse

The ransomware industry continues to thrive, showing no signs of decline despite notable law enforcement successes against cybercriminal groups. According to Allan Liska, a threat intelligence analyst at Recorded Future, the year 2024 is poised to set new records in terms of both the prevalence of ransomware incidents and the size of the ransoms victims are paying. Liska indicates that while the rate of growth may stabilize, it remains concerning that record-breaking sums are being paid, including four instances of eight-figure ransoms this year alone.

A striking case highlighted by Liska was the $22 million ransom paid by Change Healthcare to the ALPHV group following the breach of sensitive medical data impacting millions of Americans. The incident has drawn attention not only for the financial implications but also for the internal strife that erupted within the ransomware group following the breach, showcasing the chaotic nature of the industry. Liska humorously likened it to a reality show due to the infighting among the hacker affiliates.

The landscape of ransomware is evolving as younger, highly motivated threat actors such as Lapsus$ and the adolescent group Scattered Spider have emerged, exhibiting a propensity for high-stakes cyberattacks, including significant breaches at MGM Hotels and Transport for London. This shift indicates a growing trend of data theft-only attacks, which have surged by more than 30% in 2024. Liska notes that these newer hackers often prefer to exfiltrate data rather than engage in the more complex activities of encryption and decryption, forgoing traditional ransom demands.

Moreover, Liska stresses the potential for future attacks to escalate beyond digital boundaries, as some groups have begun employing real-world extortion tactics. The noted escalation of threats could be attributed to groups like Scattered Spider, which may use personal data against victims who refuse to comply with ransom demands. The intersection of ransomware and real-world violence raises urgent concerns about the security environment in which these attackers operate.

The political landscape, particularly the outcomes of upcoming U.S. elections, could dramatically influence the ransomware domain. Liska emphasizes that the Biden administration’s formation of a global ransomware task force has been beneficial in combating cyberattacks through enhanced international intelligence sharing. However, he expresses concern that if there is a policy shift under a potential Trump administration, characterized by reduced cooperation with allies, this could hinder law enforcement responses and lead to a rise in ransomware activity.

Reflecting on the past, Liska recalls how previous inaction against attacks like WannaCry and NotPetya led to significant challenges. He underscores the pressing need for systemic changes to address the ransomware crisis effectively. While Liska acknowledges that outright bans on ransom payments may not be an ideal solution, he proposes that it may be the only viable strategy left. He argues that the persistent flow of substantial ransom payments undermines law enforcement efforts by creating an incentive model that is difficult for attackers to resist.

Through these observations, Liska highlights the complex interplay between evolving hacker methodologies, the legal landscape, and the pressing need for coherent and coordinated responses to ransomware threats. As attackers become increasingly brazen and creative in their approaches, stakeholders must grapple with both the realities of cyber extortion and the potential repercussions in the realm of global security.