Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

Ransomware in 2024: Latest Trends, Mounting Threats, and the Government Response

TRM InsightsInsights
Ransomware in 2024: Latest Trends, Mounting Threats, and the Government Response

On October 1, 2024, the US Department of the Treasury's Office of Foreign Assets Control (OFAC), in collaboration with the United Kingdom and Australia, sanctioned seven individuals and two entities connected to the Russian cybercriminal group Evil Corp.

Led by Maksim Viktorovich Yakubets, Evil Corp has been a notorious presence in the cybercrime world since 2009, when it first developed the Dridex malware, used to steal banking credentials and conduct financial fraud. Over the years, Evil Corp’s ransomware operations have impacted over 40 countries and caused financial losses exceeding USD 100 million, particularly affecting healthcare, financial services, and critical infrastructure.

TRM graph visualizing one cryptocurrency's associations with criminal group exposure
As visualized in TRM, a cryptocurrency associated with Ryzhenjov shows significant exposure to criminal groups, such as well known ransomware actors that cashed out at both compliant VASPs and sanctioned entities such as Cryptex.net

{{infocard-ransomwarein2024-1}}

While the actions against Evil Corp, which coincided with the US-hosted Counter Ransomware Initiative summit—an international event bringing together over 50 countries to address the global ransomware threat—were a much needed win for global law enforcement, over the last year we’ve seen a dramatic increase in the size and scale of ransomware attacks.

Frequency and sophistication of ransomware attacks surge in 2024

In 2024, ransomware attacks surged dramatically, both in frequency and sophistication. Cybercriminals have increasingly targeted high-value sectors such as critical infrastructure, healthcare, telecommunications, and financial services. 

To put it in perspective, in July we saw 60 publicly disclosed attacks—a 58% increase from 2023. And in August, we saw 63 publicly disclosed attacks, the highest number of attacks in August on record. 30% of the August attacks were against the healthcare sector specifically.

In 2024, ransomware payments and demands reached unprecedented levels. In the first half of 2024, the average extortion demand per ransomware attack was over USD 5.2 million. That number includes the March 2024 record victim payment of USD 75 million. 

It’s not just payments that have accelerated. The attacks themselves are more complex than ever, thanks to the proliferation of new ransomware strains, advanced attack techniques, and the rapid expansion of Ransomware-as-a-Service (RaaS).

Cryptocurrency remains the dominant form of payment in these attacks, enabling cybercriminals to receive payments anonymously and execute cross-border transactions. While law enforcement efforts to trace these payments have intensified, ransomware groups are continuing to evolve their methods to evade detection.

{{blogad-ransomwaresummer-blog-1}}

High-profile ransomware attacks in 2024

Several major ransomware incidents in 2024 exemplify the escalating threat. In June, the BlackSuit ransomware group attacked CDK Global, a major software provider for auto dealers, disrupting operations across thousands of dealerships in North America. The attackers demanded 387 Bitcoin (roughly USD 25 million), though the funds were not recovered. This attack illustrated how ransomware can severely disrupt large-scale operations and vital supply chains.

In September, the ShinyHunters hacking group breached AT&T’s systems, stealing millions of customer call records and demanding 5.72 Bitcoin (roughly USD 373,000) in ransom. While the ransom was paid, the funds were quickly laundered through multiple cryptocurrency exchanges, complicating law enforcement's recovery efforts.

Another major incident occurred earlier in the year when the AlphV (BlackCat) ransomware group targeted Change Healthcare, a key player in the US healthcare system. The attack disrupted pharmacy services and hospital systems across the country, with the attackers demanding a USD 22 million ransom. This case demonstrated the healthcare sector's vulnerability to ransomware attacks.

Ransomware-as-a-Service (RaaS) and its growing impact

The emergence of RaaS has fundamentally transformed the ransomware landscape. This model allows experienced developers to sell ransomware tools to less-skilled affiliates, who carry out the attacks. Affiliates typically retain up to 80% of the ransom, with the remainder going to the developers. 

This business model has made ransomware more accessible and profitable than ever before. One of the most prolific RaaS groups, LockBit, has been responsible for thousands of attacks worldwide, amassing over USD 200 million in Bitcoin ransom payments since 2022. Despite law enforcement efforts, such as the UK’s National Crime Agency disrupting LockBit’s infrastructure, ransomware groups continue to adapt and evolve.

Double and triple extortion tactics

Ransomware attackers have also begun employing more aggressive extortion tactics. In double extortion, attackers not only encrypt data but also steal sensitive information, threatening to release it unless the ransom is paid. 

Triple extortion goes a step further by targeting third parties, such as customers or business partners, to increase the pressure on the victim to comply with the ransom demands. These tactics add additional layers of complexity and risk to ransomware attacks, making it more likely that victims will pay to avoid reputational or legal damage.

The role of cryptocurrency in ransomware operations

Cryptocurrency remains central to ransomware operations, offering criminals a way to demand and receive payments while obscuring their identities. While Bitcoin dominates ransom payments, ransomware actors have also looked to privacy coins like Monero.

Criminals have also adopted more sophisticated laundering techniques, including chain-hopping, which involves moving funds across different blockchains to evade detection. These strategies make it increasingly difficult for law enforcement to trace and recover stolen funds.

{{infocard-ransomwarein2024-2}}

Laundering techniques used by ransomware groups

Ransomware operators use several advanced methods to launder illicit funds. Peel chains involve moving small increments of funds through a series of intermediary wallets to obscure the original source. Mixers, another common tool, blend cryptocurrency from multiple users—making it harder to trace individual transactions.

Additionally, criminals are increasingly turning to cross-chain laundering, which leverages Decentralized Finance (DeFi) platforms to convert stolen funds across different blockchains. These laundering methods further complicate law enforcement efforts to track the flow of funds.

{{blogad-comradesincrime-report-1}}

Global response to the ransomware threat

Governments and law enforcement agencies around the world have intensified their efforts to combat ransomware, focusing on both disrupting ransomware operations and preventing payments to attackers. The International Counter Ransomware Initiative (CRI), led by the White House, has fostered international cooperation, with 40 countries signing a pledge in October 2023 to never pay ransom to cybercriminals. This initiative aims to reduce the financial incentives that drive ransomware attacks by targeting the criminal infrastructure that supports these operations.

The US Treasury Department has also taken action by sanctioning cryptocurrency exchanges, such as Suex and Chatex, for facilitating ransomware payments. These exchanges have been blacklisted for processing illicit funds linked to ransomware groups.

A major success came in February 2024, when US, UK, and European authorities collaborated to disrupt the infrastructure of LockBit, a leading ransomware group that had extorted over USD 200 million in Bitcoin since 2022. This international cooperation marked a significant victory in the global fight against ransomware.

TRM graph visualizing the 80/20 financial split between LockBit affiliate networks and administrators
TRM graph showing initial ransom payments and 80/20 financial split between LockBit affiliates and administrators

Emerging technological threats in ransomware operations

Ransomware operators are expected to increasingly leverage new technologies to improve the efficiency and impact of their attacks. Artificial intelligence (AI) is being used to automate ransomware campaigns, enabling criminals to craft more convincing phishing emails, identify vulnerabilities in systems more efficiently, and optimize ransomware delivery. As AI tools become more advanced, organizations may find it harder to detect and prevent these attacks.

The rise of high-throughput blockchains—which can process thousands of transactions per second—presents another challenge for blockchain intelligence platforms. Criminals may use these faster networks to move funds more quickly, giving law enforcement less time to trace illicit transactions in real-time.

Additionally, ransomware groups are expected to exploit vulnerabilities in DeFi platforms and smart contracts. These technologies, which underpin much of the crypto economy, offer new opportunities for cybercriminals to siphon funds or demand ransom payments through the exploitation of DeFi protocols.

Future outlook: Strategies for disrupting ransomware

The sophistication and persistence of ransomware groups will continue to pose challenges for law enforcement and cybersecurity experts. However, several strategies are essential for disrupting these operations.

Public-private partnerships will play a critical role in tracking ransom payments and dismantling ransomware infrastructure. Companies like TRM Labs are helping to trace illicit crypto transactions and identify key players in ransomware operations, providing valuable intelligence to law enforcement agencies.

Governments are also likely to implement stricter cybersecurity regulations, particularly for critical infrastructure providers and private companies. Policies such as the EU’s Cybersecurity Act and the US’s CISA Cybersecurity Advisory are setting new standards for cybersecurity, aiming to mitigate the threat of ransomware by enforcing stronger protections.

High-risk industries—including healthcare and finance—must adopt more proactive cybersecurity measures, such as deploying advanced endpoint protection, implementing regular patching, and providing comprehensive employee training on cybersecurity awareness. By adopting these measures, organizations can reduce their vulnerability to ransomware attacks.

As ransomware groups evolve, the continued development of sophisticated defenses, stronger regulatory frameworks, and unwavering international collaboration will be essential in mitigating the growing ransomware threat. The current wave of attacks is a reminder that while progress has been made, the fight against ransomware is far from over, and stakeholders across all sectors must remain vigilant.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Read TRM’s deep dive on the Evil Corp actions here.

RANSOMWARE ATTACK STATISTICS:
RUSSIAN-SPEAKING RANSOMWARE GROUPS

  • Russian-speaking ransomware groups accounted for at least 69% of all crypto proceeds from ransomware in 2023, exceeding USD 500 million
  • Russian-language darknet markets also comprised 95% of all crypto-denominated illicit drug sales on the dark web in 2023
  • Inflows to just one Russia-based crypto exchange, Garantex, accounted for 82% of crypto volumes belonging to all sanctioned entities internationally

<a id="callout-link" href="https://www.trmlabs.com/comrades-in-crime-exploring-the-russian-speaking-illicit-crypto-ecosystem">Learn more in this report →</a>