As IT complexity continues to rise, businesses are facing an increasingly challenging cybersecurity environment. Ransomware attacks have increased nearly 18 percent over the past year, according to a new report released by Zscaler’s security research arm, ThreatLabz. This surge in activity has significantly disrupted business operations, causing prolonged downtime, data loss, and costly recovery efforts. Here’s what you need to know to keep your business safe and secure.
TABLE OF CONTENTS
Increasing Attacks and Payments
The 2024 Ransomware Report is based on data collected from Zscaler’s cloud security platform, Zero Trust Exchange (ZTE), which processes more than 500 trillion signals daily. The data and ThreatLabz’ analysis of ransomware samples use reverse engineering and malware automation to provide a comprehensive view of ransomware trends.
Brett Stone-Gross, Zscaler’s director of threat intelligence, said ransomware is one of the most significant threats companies face as part of the current cybersecurity environment. “We’re seeing increases in ransom demands, we’re seeing increases in attacks, and we’re also seeing increases in actual payment numbers,” he told ZK Research in a recent interview.
One of the key findings is the growing focus on high-value targets by groups like Dark Angels. The group has been effective by seeking out a few multibillion-dollar companies and extracting large ransoms while avoiding attention from law enforcement, resulting in a record ransom payment of $75 million by a Fortune 50 company—nearly double the previous highest known amount. ThreatLabz believes the Dark Angels strategy may influence other ransomware groups in 2025, leading to more focused attacks on big companies.
New Industries Being Targeted
There is also a shift happening in terms of which industries are targeted. Manufacturing, healthcare, and technology sectors remain top targets due to the critical nature of their operations. The energy sector, in particular, saw a 500 percent increase in attacks in the last year. These sectors are attractive to cybercriminals because disruptions can have severe consequences, making companies more likely to pay ransom quickly.
Another factor in these verticals is the rise of IT / OT integration. In my discussions with IT leaders, particularly in healthcare and manufacturing, organizations are connecting non-IT devices to their networks at an unprecedented rate. Most of these devices do not have any inherent security capabilities, leaving the door wide open for a threat actor to come in and hijack the company’s data, leading to a ransom demand.
My research shows that the number of IoT devices will nearly double in the next five years, growing from 16B today to 30B.
The Most Active Ransomware Groups
Despite efforts by law enforcement, ransomware attacks continue to rise. The report found a 58 percent increase in companies exposed to data leak sites compared to the previous year. The U.S. accounted for nearly 50 percent of all attacks, followed by the UK, Germany, Canada, and France. However, these statistics don’t fully represent the total number of ransomware incidents, as many go unreported or are settled privately.
“In terms of the number of attacks,” Stone-Gross said, “the U.S. increased more than 100 percent, so it’s a prime target. U.S. businesses are falling victim to these attacks more than any other country by far.”
The most active ransomware groups between 2023 and 2024 were LockBit, BlackCat, and 8Base. ThreatLabz identified five ransomware groups with different approaches that will likely be dominant in 2024 and 2025:
- Dark Angels: Targets a select few companies and steals large amounts of data before encrypting systems.
- LockBit: Targets many victims through a large affiliate network using various ransomware variants.
- BlackCat: Known for targeting multiple platforms until it shut down in March 2024, its evolving techniques will likely influence future operations.
- Akira: This newer group has gained attention with its aggressive affiliate-driven model and a ransomware variant that’s hard to detect.
- Black Basta: This group has adapted to disruptions in its access networks by using social engineering tactics.
Ransomware Forecast
Looking ahead, the report predicts more attacks on high-value targets, an increase in voice-based social engineering (“vishing”) attacks, and an increased use of generative artificial intelligence (AI) to create more convincing campaigns. AI-generated voices with local accents are expected to make these attacks more effective and harder to detect.
Ransomware attacks that focus on data theft rather than just encryption are also expected to rise. This approach allows criminals to operate more quickly and effectively, using the threat of data leaks to pressure victims into paying ransom. The healthcare sector will likely remain a prime target due to its valuable data and reliance on outdated systems.
“Previously, ransomware groups would steal a few hundred gigabytes to maybe a terabyte of data,” said Stone-Gross. “Now, we’re seeing tens of terabytes, up to a hundred terabytes of data. This is causing more pressure on companies to pay these large ransoms. We think that trend is going to continue.”
Combating Ransomware
Stone-Gross said companies can take preventive measures to strengthen their cybersecurity strategies and stay informed on emerging threats. For example, multifactor authentication (MFA) can add an extra layer of security, making it harder for unauthorized users to gain access. Meanwhile, keeping software up to date and applying the latest security patches as soon as they are available helps address existing weaknesses.
“Make sure you have network monitoring, endpoint monitoring, and an end-to-end layered approach,” he said. “In addition to that, we recommend a zero trust architecture. Many companies that are falling victim to these attacks have flat networks. Someone authenticates with a VPN and has free range to access from there. With zero trust, you minimize your exposure. You can’t attack what you can’t see.”
Additionally, by enforcing least-privileged access, organizations can ensure that users only have access to resources for their specific roles. AI-powered network monitoring tools can examine user behavior and adjust access privileges. Together, these tools can prevent cybercriminals from escalating their access and moving deeper into the network.
There is a rule of thumb that security pros should keep in mind and that complexity is the enemy of good security. Hybrid work, cloud computing, mobile phones, and AI have all made the environment exponentially more complex and impossible to secure using old-school methodologies. Ransomware isn’t going away so security leaders need to ensure that company data is protected as well as possible with up-to-date security technologies.
Read about generative AI and cybersecurity to learn more about about how companies use AI to protect their infrastructure.