Black Kite published its annual report, based on primary research, State of Ransomware 2024: A Year of Surges and Shuffling, which reveals the increased persistence, sophistication and aggression within ransomware groups. According to the Black Kite Research & Intelligence Team (BRITE), there were a staggering 4,893 reported ransomware attacks from April 2023 through March 2024 - an 81% year-over-year increase. The United States was the most targeted country in the world. In fact, during this time, there were nearly as many attacks in the U.S. alone (approx. 2300) as there were globally in all of 2023 during the corresponding period.

The research by Black Kite's BRITE group offers an unprecedented deep dive into the sophistication and interconnectedness of the ransomware ecosystem, breaking down the corporate-like structure of these cybercrime actors. The report - which offers analysis of more than 130 ransomware groups, their activities and their victims over a one-year period - sheds light on cybercriminals' evolving tactics, their operations and the profound impact ransomware attacks have on victims worldwide.

"We are seeing an unrelenting surge in ransomware attacks in a world where cyber adversaries function like shadow enterprises. The sophistication of these groups rivals that of any Silicon Valley tech startup," said Ferhat Dikbiyik, chief research and intelligence officer, Black Kite. "Law enforcement's dismantling of notorious groups like AlphV has not discouraged operations. It merely caused them to refocus and realign, and in some cases join forces with other affiliated groups. This shift underscores the volatility within these illicit networks while highlighting the critical cybersecurity challenges organizations around the world face every day in threat detection and mitigation."

Ransomware as a business and its emerging leaders
The report provides insight into talent acquisition and revenue structures - with operators typically retaining 20-30% and affiliates taking the lion's share of revenue. The report discusses the rise and fall of established players like LockBit and how data supports a dynamic, thriving industry with multi-affiliate collaboration and bidding wars for affiliates. Emerging groups, such as Akira and 8base, are quickly climbing in power and authority. The Black Kitre report reveals that 9 of the top 15 most active groups are new entrants to the market.

Data indicates not just escalation but also acceleration of attacks, signaling the evolution and increasing aggressiveness of ransomware players. More than 100 companies were victimized by two groups and several were victimized by three groups. These attacks are happening in quicker succession - sometimes with mere days between attacks - indicating the ransomware groups are monitoring other groups' activity so they can strike while a victim is still weak. Data also indicates that ransomware affiliates may work with multiple RaaS providers, leading to multiple payloads from different groups in a single environment.

Evolving ransomware victim profiles
The report offers a detailed analysis of victims and cybercriminals' approaches to profiling and targeting. While previous years saw a focus on resource-rich organizations, ransomware groups are more frequently targeting organizations that offer critical human services and smaller companies with revenue under $20 million (nearly 1200 victims). As an example, healthcare jumped to the third most targeted industry with 273 victims. This is a startling number considering the profound impact caused by ransomware-related business disruptions and theft of patient health information (PHI), as evidenced by recent news of the $1.6 billion hit to United Health in the wake of the Change Healthcare attack. Notably, while 82 victims were hospitals, the rest were smaller physicians' practices and medical officers, which often lacked robust cybersecurity defenses. However, manufacturing still leads with 1,016 victims, indicating the targeting of industries that are foundational to national economies.

Finally, the report takes a close look at cyber predator behavior and victim risk profiles. With a record number of vulnerabilities, zero day exploits were the top tactic of choice for many groups with credential stuffing following as the second most used strategy. More than 3,000 victims had at least one leaked credential in the 90 days prior to a ransomware attack. BRITE also leveraged Black Kite's Ransomware Susceptibility Index® (RSI^TM) to evaluate victims' risk posture prior to attacks and found that companies with an RSI score above .8 are 27 times more likely to experience a ransomware attack.

Through BRITE Black Kite actively monitors more than 130 ransomware groups, 67 of which published at least one victim in the time period analyzed. During this study, the team analyzed the attacks and victims by tracking their cybersecurity posture in the victims before and after the ransomware attack on the Black Kite platform. The team also monitors dark web blogs, hacker forums, and Telegram channels to track the evolving tactics and narratives of the ransomware groups in real time. The analysis is incorporated into the "State of Ransomware 2024," report, along with tips for improving cyber risk and security posture. Ultimately, the report aims to empower organizations with the knowledge and insights needed to bolster their cybersecurity defenses and mitigate the risk of falling victim to ransomware extortion.