This report covers topics such as Data Breach Notification, Data Security, and Fraud Management & Cybercrime.
LockBit and BlackCat/ALPHV Decline Linked with Diminishing Big-Game Hunting
While ransomware remains a lucrative avenue for operators, 2024 has seen a significant downturn in the financial returns from extortion activities, with known ransom payments dropping by 35%. According to blockchain analytics firm Chainalysis, the total amount paid to ransomware groups fell from $1.25 billion in 2023 to $814 million in 2024, marking the first decline since 2022.
This unexpected drop can be attributed to a decline in high-profile attacks, commonly referred to as big-game hunting. Chainalysis noted that despite its previous expectations for 2024 to surpass 2023’s figures, payment activity slowed notably after mid-year due to a decrease in the number of attacks targeting larger organizations.
During the first half of 2024, exceptional ransom payments clouded the overall data, including a notable $75 million payout to Dark Angels and a $22 million payment to BlackCat/ALPHV by UnitedHealth Group’s subsidiary, Change Healthcare. These instances, however, did not prevent the overall downward trend observed later in the year, as indicated by a separate report from incident response firm Coveware, which revealed that only 25% of affected organizations chose to pay the ransom in the final quarter, down from about one-third in the previous quarter.
Additionally, Kivu Consulting’s research into 2024 negotiations showed that around 30% resulted in actual payments. The decline in profitability appears to be closely linked to the downfall of prominent ransomware operations, including the BlackCat/ALPHV group, which reportedly executed an “exit-scam,” absconding with $22 million rather than distributing the ransom proceeds as initially intended.
Another significant factor in the plummet of ransom payments was the disruption of the LockBit operation, which was heavily compromised by law enforcement actions starting in early 2024. The UK’s National Crime Agency has played a pivotal role in infiltrating LockBit’s infrastructure and unmasking its leaders, crippling the group’s attempts to maintain operations amidst increasing scrutiny and pressure from cybercrime units.
While LockBit continues to claim operational existence, recent analyses suggest that a notable percentage of its reported victims may be fictitious. Concurrently, the conclusion of both LockBit and BlackCat has resulted in a shift towards lone actors exploiting the ransomware landscape, with a focus on smaller to mid-sized enterprises, which tend to yield more modest ransom demands.
The profitability figures for 2024 remain above those of 2022, but the future trajectory of ransomware incomes is uncertain. The landscape is heavily influenced by the ongoing law enforcement focus on disrupting the infrastructures that support these cybercriminal operations, including money laundering networks. Chainalysis emphasizes that collaborative efforts and innovative defense mechanisms will be crucial in sustaining the progress realized in 2024.
This situation highlights the importance of understanding the tactics employed by these adversaries, which may include methods reflected in the MITRE ATT&CK framework such as initial access, persistence, and privilege escalation. While ransomware attacks evolve, the strategies employed by the operators will continue to pose significant threats to businesses, underscoring the need for robust cybersecurity measures.
