Ransomware roundup_ 2024 end-of-year report

In 2024, ransomware groups claimed responsibility for 5,461 successful ransomware attacks on organizations worldwide. 1,204 of these attacks were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites, but have not been acknowledged by the targets.

This report will focus primarily on the confirmed attacks.

Across the 1,204 confirmed attacks, 195.4 million records were breached (and counting). These figures for 2024 are lower than those recorded in 2023 (1,474 attacks affecting 261.5 million records), but with many reports coming through months (and, in some cases, years) after the attack, we do expect 2024 figures to rise in the coming months.

Key findings for 2024 ransomware attacks

  • 1,204 confirmed ransomware attacks
  • 195,414,994 records compromised by these attacks
  • Average ransom demand of over $3.5M
  • Average ransom paid = $9,532,263
  • Total ransom paid = $133.5M
  • RansomHub was the most prolific gang (89 confirmed attacks) followed by LockBit (83), Medusa (62), and Play (57)

The top 5 biggest data breaches via ransomware in 2024

Throughout 2024, the biggest data breaches caused by a ransomware attack were:

  1. Change Healthcare, US – 100M affected: An estimated 100 million people were caught up in this February 2024 breach via ALPHV/BlackCat. Change Healthcare is also reported to have paid the gang $22M only for another gang (RansomHub) to claim ALPHV had pulled the rug on its affiliates.
  2. LoanDepot, US – 16.9M affected: Also caused by ALPHV/BlackCat, LoanDepot’s January 2024 breach affected nearly 17 million people. The $6M ransom demand wasn’t paid, however.
  3. MediSecure, Australia – 12.9M affected: The largest breach in Australia’s history, MediSecure was hit by an attack in May 2024. Threat actor Ansgar claimed the attack and listed the stolen data for sale at $50,000.
  4. Izumi Co., Ltd., Japan – 7.8M affected: Following an attack in February 2024, Izumi said nearly 7.8 million people had been impacted in this breach by an unknown group.
  5. Evolve Bank & Trust – 7.6M affected: LockBit hit Evolve in May 2024. The bank refused to pay an undisclosed ransom but later notified more than 7.6 million people of a data breach.

Also in the top 10 are Ascension, US (5.6M), Financial Business and Consumer Solutions, Inc., US (4.3M), Acadian Ambulance, US (2.9M), Prudential Insurance Company of America (2.6M), and Rite Aid, US (2.2M).

Ransomware attacks by sector

We categorize attacks into four sectors: business, education, government, and healthcare. The only sector that looks set to see a decrease in attacks from 2023 to 2024 is education. In 2023, we logged 188 attacks on educational institutions, such as schools and universities. This dropped to 116 in 2024. All of the other sectors will be on a steady year-on-year trend once all breaches have been reported.

Ransomware attacks on government agencies

  • 179 confirmed attacks
  • 1.5M records affected
  • Average ransom demanded = $2.3M
  • Average ransom paid = $923,000

Ransomware attacks on healthcare

  • 181 confirmed attacks
  • 25.6M records affected
  • Average ransom demanded = $5.7M
  • Average ransom paid = $900,000

Ransomware attacks on education

  • 116 confirmed attacks
  • 1.8M records affected
  • Average ransom demanded = $847,000
  • Average ransom paid = Insufficient data

Ransomware attacks on businesses

  • 728 confirmed attacks
  • 166.5M records affected
  • Average ransom demanded = $3.7M
  • Average ransom paid = $14.4M

Some business sectors did appear to see a significant decline in attacks in 2024. Most notable were the technology sector (52 attacks noted in 2024 compared to 106 in 2023) and legal firms (20 attacks noted in 2024 compared to 52 in 2023).

The top 5 biggest ransom demands in 2024

According to our data, the biggest ransom demands in 2024 were:

  1. Regional Cancer Center (RCC), India – $100M: India’s Regional Cancer Center was reportedly hit with a $100M demand after its attack in April 2024. Rumors suggested it was the Daixin Team but it denied being involved.
  2. Cencora Inc., US – $75M: The biggest known ransom payment to date. After its February 2024 attack, Cencora reportedly paid Dark Angels $75M (who is said to have demanded $150M at first).
  3. Synnovis, UK – $50M: Qilin demanded $50M from the UK healthcare company in June 2024 but Synnovis refused to pay.
  4. Mellitah Oil & Gas, Libya – $50M: RansomHub demanded $50M from Mellitah after its attack in April 2024.
  5. London Drugs, Canada – $25M: LockBit demanded $25M from London Drugs in April 2024. The Canadian company reportedly offered to pay $8M but LockBit refused to accept it.

Also within the top 10 are CDK global, US (also with a ransom demand of $25M but this was paid to BlackSuit), RIBridges, US ($23M demand from Brain Cipher), Change Healthcare, US ($22M demand from ALPHV/BlackCat which was paid), Ajuntament de Calvià, Spain ($11M from LockBit–unpaid), and Claro Company/América Móvil, Mexico ($10M from Trigona).

The most prolific ransomware strains in 2024

As we’ve already noted, the most prolific ransomware gangs in 2024 (based on confirmed attacks) were RansomHub (89 confirmed attacks), LockBit (83), Medusa (62), and Play (57).

However, the gang responsible for the most breached records is ALPHV/BlackCat (119.6M in total), and Dark Angels received the biggest payout ($75M).

What does 2025 hold for ransomware attacks?

Predicting the ransomware landscape is notoriously difficult. At the start of last year, it seemed as though ransomware figures were declining. But figures started to skyrocket again toward the end of the year (particularly in unconfirmed claims from ransomware gangs). In H1 of 2024 we noted 2,433 attacks (681 confirmed), while in H2 of 2024 we noted 3,028 attacks (523 confirmed).

Based on 2024, it’s highly likely we’ll continue to see large-scale attacks that either cause widespread disruption to companies and/or see troves of data being stolen. What’s more, Clop’s recent Cleo exploit looks set to see a number of companies issuing breaches in the coming months (the gang threatened to release around 66 companies toward the end of 2024).

You can track current ransomware attacks using our worldwide tracker (updated daily) here.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.