ransomware roundup h1 2024

Comparitech logged more than 420 attacks affecting over 35.3 million individual records in the first half of 2024. Those figures are down from the same period in 2023, during which we recorded 704 attacks affecting 155.7 million records.

The average ransom demand per attack across all industries was just over $5.2 million. This figure is an average of 56 known ransom demands.

Here’s a breakdown of ransomware attacks in the first six months of 2024 compared to the same period in 2023:

  • 240 attacks on businesses, affecting 29,775,685 records (down from 422 attacks affecting just over 142.2 million records)
  • 43 attacks on education, affecting 32,154 records (down from 96 attacks affecting nearly 2.6 million records)
  • 74 attacks on government, affecting 52,390 records (down from 99 attacks affecting just over 208,000 records)
  • 63 attacks on healthcare, affecting 5,485,446 records (down from 87 attacks affecting just over 10.7m records)

Even though healthcare entities saw a downturn in the number of attacks and records affected, we’ve seen some of the biggest attacks on this industry to date in terms of disruption caused and ransoms amounts. Breach disclosures will continue to trickle through, so these figures will likely increase.

The above only covers attacks that have been confirmed by victims, but ransomware gangs make a lot of claims that are never acknowledged. Comparitech researchers further logged 1,920 unconfirmed attacks: 1,714 on business, 58 on education, 35 on government, and 113 on healthcare.

Top five ransomware attacks in H1 2024

The biggest attacks in H1 2024 by number of individual records affected were:

  1. LoanDepot – 16,924,071: Hit by ALPHV/BlackCat in January 2024. The company did not pay the $6 million ransom demand. The attack is projected to cost the company $12 million to $17 million.
  2. Izumi Co – 7,784,999: Hit by a ransomware attack in February 2024. No groups have claimed the attack.
  3. Prudential Insurance – 2,556,210: Also hit by ALPHV/BlackCat.
  4. India’s Regional Cancer Center (RCC) – 2,000,000: Attacked in April 2024 with 11 out of 14 servers encrypted and 2 million patients’ data breached. Attackers allegedly demanded a $100 million USD ransom. Daixin denied responsibility.
  5. Ann & Robert H. Lurie Children’s Hospital of Chicago – 791,784: Hit by Rhysida. The hospital confirmed it did not pay the $3.4 million ransom demand.

Top five biggest ransom demands of H1 2024

The biggest ransoms in H1 2024 were demanded after the following attacks:

  1. India’s Regional Cancer Center (RCC) – $100 million: As mentioned above.
  2. Synnovis – $50 million: UK pathology services hit by an attack in June. Qilin claimed responsibility. Disruptions are ongoing as of time of writing. Qilin alleges to have stolen 400GB of data.
  3. London Drugs – $25 million: LockBit claimed this attack that shut stores for over a week. London Drugs refused to pay. LockBit says it was offered $8 million.
  4. Change Healthcare – $22 million: Paid to ALPHV/BlackCat following an attack in February 2024. RansomHub also claimed to have the stolen data. Sources suggest Change Healthcare lost $872 million from the attack.
  5. Calvià City Council – €10 million ($11 million USD): Not paid. Claimed by LockBit.

Most active ransomware gangs of H1 2024

Ransomware attacks are usually launched by gangs of malicious hackers. These gangs can either work for themselves or license their malware out to other cybercriminals in a ransomware-as-a-service (RaaS) model.

LockBit claimed the most confirmed attacks (48), followed by Medusa (31), BlackBasta (27), Akira (20), 8Base (17), and INC (16).

The leader of LockBit was unmasked and sanctioned by US authorities in May 2024, and authorities have launched several raids of the group’s infrastructure. Despite those efforts, LockBit remains the most active ransomware gang in 2024.

We’ve noted an increase in the number of gangs who no longer encrypt files as part of their attack, and instead rely solely on data theft for extortion.

Most frequently attacked countries in H1 2024

Even though the US has seen a downturn in the number of ransomware attacks reported, attack frequency in other countries has been more stable.

  1. United States – 209 attacks in H1 2024, compared to 396 in 2023.
  2. Canada – 19 attacks in H1 2024, compared to 21 in H1 2023.
  3. United Kingdom – 22 attacks in H1 2024 and H1 2023.
  4. Australia – 12 attacks in H1 2024, compared to 13 in H1 2023.
  5. Japan – 10 attacks in H1 2024 and H1 2023.
  6. Singapore – 8 attacks in H1 2024, compared to 1 in H1 2023.

Other countries that have seen a significant decrease in attacks like the US include Germany (26 down from 44); Switzerland (4 down from 14), and France (10 down from 30).