Travelers: Q4 2024 records highest ransomware activity in a quarter to date

By Isha Marathe

March 6 - (The Insurer) - The fourth quarter of 2024 experienced the highest level of ransomware activity recorded in any single quarter to date, with a total of 1,663 known victims posted on leak sites, a 32% uptick from Q3 2024, according to the new Travelers's Cyber Threat Report.

The record spike activity was largely spurred by nation-states that supported ransomware gangs, strategic cyber attack playbooks from bad actors and a more organised targeting of IT services and consulting firms. An increased number of organisations that fell victim in Q4 were to ransomware groups, which used repeatable attack methods, such as targeting virtual private network (VPN) accounts that had weak credentials and were not protected by multifactor authentication (MFA).

November 2024 came in as particularly notable with 629 attacks, followed by a decline to 516 in December, showing a typical pre-holiday uptick in ransomware activity.

As a whole, in 2024, the number of ransomware attack victims posted on leak sites reached 5,243, a 15% increase from the 4,548 incidents recorded in 2023. Globally, these attacks exposed more than 195 million records and estimated that total payments to ransomware groups was $813 million for the year, the report stated.

However, major zero-day vulnerabilities were not responsible for the bulk of ransomware activity, Travelers said. And overall, the loss in dollar-amount actually dropped by 35% compared to 2023 as a whole.

"A reasonable conclusion from the simultaneous increase in attacks and drop in revenue is that organizations are increasingly equipped to stand up to attackers by refusing to pay," Travelers said.

"While this marks progress of a sort in blunting financial losses from ransomware, it unfortunately does not mean an end to the costs of business disruption, IT system restoration, litigation, and regulatory fines for exposed records."

Travelers found that the construction sector remained a primary target in 2024 like years prior, with 129 attacks recorded in Q4 alone, and a 56% increase in attacks year over year. Hospitals and healthcare organisations also faced persistent threats, with attacks rising from 166 in 2023 to 210 in 2024.

Notably, the report saw an increased targeting of IT services and consulting firms, sectors that function as intermediaries for other industries, therefore amplifying the impact of an attack through their connections to multiple clients. Other targets included law practices and financial services, underscoring the broad spectrum of industries vulnerable to ransomware activity.

SHIFT IN STYLE OF ATTACK

The fourth quarter of 2024, along with the year as a whole, saw key shifts from prior years in how bad actors behaved when it came to deploying ransomware.

New players like FunkSec emerged as key hackers, and others like RansomHub continued to gain steam.

In 2024 alone, 55 new ransomware groups emerged, which is a 67% increase in group formation from 2023 and indicates a rapid proliferation of smaller, more agile players in the cybercrime ecosystem, the report found.

Additionally, smaller or less organised players found the backing of nation-states as geopolitical conflicts continued to simmer and bubble over in 2024.

"When you hear 'nation-state threat,' you think sophisticated threat actors targeting government entities and the defense industrial base for espionage purposes. What you don’t think is 'ransomware enabler,'" Travelers said. "That line is getting blurry. Security researchers have uncovered increasing connections between nation-state threat actors and criminal ransomware groups."

MITIGATION

Similar to previous years, Travelers recommended that organisations and their insurers should focus on adopting a stronger cybersecurity framework.

Some to-do's were phishing-resistant MFA for all remote access and capabilities, an effective vulnerability management program to quickly patch critical vulnerabilities in edge devices, such as VPNs, reliable backups with a resilient disaster recovery and business continuity plan, and comprehensive EDR solutions.

“Based on our observations, it’s clear that basic attack techniques are still highly effective for ransomware groups,” said Jason Rebholz, vice president and cyber risk officer at Travelers.

“These groups have been on the offensive, proactively hunting for targets and having significant success. It’s vital that businesses implement proven security controls, such as MFA, to make it far more challenging for malicious actors to carry out an attack on their organization.”