The headline is this: 59% of businesses were hit by ransomware attacks in 2024. And it’s not just that ransomware attacks are increasing; it’s the amount of money demanded per ransomware, which was $5.2 million in the first half of 2024. In March 2024, one victim broke the highest ransom payment at $75 million. And in November 2024, attacks increased by 16%, driven by the strain ‘Ymir,’ but Akira is the most active threat actor. They’re numbers we can expect to see increase, but our question is, why? Read on to find out.
What Are Ransomware Attacks?
We should probably start by answering this question. Ransomware attacks involve cyber extortion using malicious software that is used to encrypt and lock business data and systems. To unlock the system, a message will appear demanding a ransom payment—hence the name ransomware attacks.
Businesses can use an intrusion prevention system, but the worry people have is that ransomware software and techniques are becoming too advanced.
Attackers will often ask for payments in cryptocurrency to keep their anonymity. The attacks can come to businesses through phishing emails, exploiting outdated software, or, more recently, using AI.
Once ransomware infiltrates a system, it’s pretty much game over. It’ll act in stealth mode, collecting all the sensitive company data and then locking the business out of their system.
Advanced strains are also now using double extortion. Attackers encrypt data and threaten to release the information if the company doesn’t meet their money demands.
The new Ymir strain uses memory-based operations, so it’s not detectable by traditional detection methods.
The Technology Fuelling the Attacks
Ransomware as a Service (RaaS) has led individuals of all skills to acquire ready-made ransomware kits, allowing them to become a part of the problem. People aren’t even advanced hackers anymore—they’re just people who want money and think they won’t get caught. Often, ransomware attackers aren’t ever discovered.
It’s the technology equipping cybercriminals with highly sophisticated tools, making ransomware attacks more effective and tricky to prevent. Hackers have started exploiting artificial intelligence (AI) and machine learning tools. Automated phishing campaigns, penetration of a target’s system for potential vulnerabilities, and optimization of ransomware delivery can all be done using AI.
Using AI-based tools, hackers can send out phishing attempts in the form of emails extremely similar to authentic ones—it’s crazy if you see one.
To further muddy the waters, attackers have begun using advanced laundering methods like cross-chain hopping and mixing software, resulting in large deposits shaped like ransom payments.
Vulnerability Exploitation
Installing ransomware by exploiting unapplied updates is considered one of the most efficient attack methods. In 2024, 32% of ransomware attacks were reported to be directed to a system with outdated applications, which raises the classic issue of organizations not updating their software in time.
Even today, some attackers still use remote desktop protocol brute force attacks and commonly used software exploits to target legacy systems that lack modern security features. The industries suffering the most are the healthcare and manufacturing sectors.
As we said, one of the major factors contributing to this is phishing emails, which are still among the core components of cyberattacks.
New Advanced Configuration Options
Modern ransomware groups and strains have been increasing—we’ve already mentioned two in the introduction.
These configurations allow attackers to tailor their attacks toward the victim’s vulnerabilities. For example, Ymir, while targeting any victim, uses memory-based operations that make traditional detection methods less effective, as we’ve said. This advanced configuration can operate using modular versatility. This technique ensures that many phases of a single attack suit don’t run parallel, so the likelihood of detection and mitigation is significantly lowered.
Another layer of complexity is added by the emergence of multi-extortion strategies like double and triple extortion—but we’ve already discussed that, so we won’t go into more detail.
Attack Increases on High-Value Sectors
It makes sense that attackers would go for the high-value sectors.
In 2024, an astonishing 33% of all ransomware attacks were directed at the industrial sector. Why? It’s the sensitivity of their data and the massive revenue they generate.
Healthcare organizations are also at the greatest risk of attack because they know these services must operate 24/7. A hospital can’t afford to have downtime, so naturally they’re more likely to pay. And hospital databases have hundreds of thousands of patient data to exploit.
The same attack strategy is used against banks that can’t risk mass data exploitation that could lead to unprecedented fraud—and they obviously have a lot of money to pay the ransom.
And the nation-state actors, like the Russia-based Sandworm, strategize around coin losses and use ransomware as a means for disruptive espionage at the political level of the system.
What Can Businesses Do to Protect Themselves?
Investing in cybersecurity is the most effective way to prevent ransomware attacks. Using advanced endpoint protection, network segmentation, and upgrades of the intrusion detection systems is essential. And, more than anything, businesses should patch up software by regularly updating it.
Employees also need to be trained in recognizing phishing attempts and being educated on which practices to follow. Another measure is considering having an offline backup so that sensitive data can be restored instead of being forced to make ransom payments. Having incident response plans ready and working with cybersecurity firms also helps.
Ransomware attacks in 2024 are more of an issue than ever—it’s almost inevitable a business will face a ransom attack of some form over the next few years. It’ll be interesting to see how the threat evolves in 2025.
