Comparitech logged 142 ransomware attacks affecting 17.6 million records in the first quarter of 2024, a significant decrease from 2023 (336 attacks).
Although we’ll likely see a few more Q1 attacks disclosed in the coming months, 2024 is so far on track to suffer far fewer ransomware attacks than last year.
That trend is consistent across all industries except finance, where the number of affected records rose from 14.74 million in Q1 2023 to 16.96 million in 2024. The vast majority of the 2024 records were compromised in the LoanDepot breach, in which the company refused to pay a $6 million ransom to ALPHV/BlackCat. That decision is projected to cost the company between $12 million and $17 million.
Here’s a breakdown of the 142 attacks so far this year:
- 72 attacks on businesses, affecting 17,289,205 records
- 14 attacks on education, affecting 8,797 records
- 36 attacks on government agencies, affecting 48,949 records (higher than the 10,592 breached in Q1 2023)
- 20 attacks on hospitals and healthcare, affecting 300,000 records
LockBit boasted the most confirmed attacks in Q1 2024 (16), followed by Medusa (11), BlackBasta (10), Akira (8), and ALPHV/BlackCat (7).
The average ransom demand across all industries was $1.88 million. The top four biggest ransom demands were:
- Ajuntament de Calvià – €10 million EUR ($11m USD) from an unknown group. Not paid.
- Claro Company (América Móvil) – $10 million demanded from Trigona. Payment not confirmed.
- LoanDepot – $6 million demanded by ALPHV/BlackCat. Not paid.
- Ann & Robert H. Lurie Children’s Hospital of Chicago – $3.4m demanded by Rhysida. Stolen data was publicly posted, suggesting no ransom was paid, but no confirmation.
Encryption-free extortion is on the rise. Criminals are more frequently demanding ransoms without encrypting data. Instead, the attacks rely on data theft and the threat of leaks to make victims pay.
Biggest ransomware attacks in 2024
The top four data breaches of Q1 2024 were:
- LoanDepot – 16,924,071 records. ALPHV/BlackCat demanded a ransom of $6 million, which wasn’t paid.
- Centre Hospitalier d’Armentières – Around 300,000 patients affected by unknown attackers in February.
- Southern Water – 230,000 to 470,000 customers affected. Black Basta claimed the attack.
- City of Jacksonville Beach – 48,949 records. Hit by LockBit. No ransom paid.
Here are some other notable ransomware attacks that took place in Q1 2024:
- Court Services Victoria was attacked by ransomware affecting numerous Australian courts and resulting in hackers stealing important audio-visual documents.
- Swedish supermarket chain Coop announced a ransomware attack that happened in December of last year. The attack was carried out by the Cactus ransomware group. Coop was forced to close down 800 stores during the attack.
- Taiwanese semiconductor company Foxsemicon Integrated Technology Inc was hit by a LockBit attack. The attack compromised 5 TB of data.
- The LockBit ransomware group claimed an attack on Subway. The fast food chain has launched an investigation, pending.
- Kenya Airways was attacked by the Ransomexx ransomware gang. At least 2 GB of data was stolen, including personal passenger information.
- The French logistics company Groupe IDEA suffered an attack in January at the hands of LockBit.
- First American admitted to a ransomware attack in January which reportedly happened in the latter part of last year. The attack was reportedly carried out by the BlackCat group.
- Kansas City Area Transportation Authority was hit with ransomware in January. The attack was carried out by Medusa who posted samples of stolen data on the dark web. The hackers demanded $2 million.
- Cosmetics and handmade soap company Lush was hit by a ransomware attack. Many personal documents, including passport scans, were affected according to the ransomware group Akira.
- In January Halcyon reported that the Mexican poultry farming company Bachoco had been hit by a ransomware attack carried out by Cactus.
- Toronto Zoo in Canada was hit by a ransomware attack in January.
- Japanese food company RE&S Holdings was hit by a ransomware attack in January.
- In March 2024 the British Library published details of a ransomware attack that reportedly cost them around £7 million. The attack exposed the personal details of around 500,000 people. It occurred in October of last year.
- In January the Global Lutheran Group was victimized by ransomware. The attack was claimed by the Rhysida group, which says it stole 734 GB of data.
- Finnish IT services provider Tietoevry suffered a ransomware attack, impacting its cloud-hosting customers in Sweden and causing outages. The attack was carried out by Akira.
- Brazilian company Agro Baggio was added to the Knight ransomware attack page in March.
- US logistic company Becker Logistics was hit by the well-known hacking collective Akira in January. The hackers encrypted 43 GB of data including financial data, personal data, and contracts.
- Ransomware group Qilin in March claimed to have stolen 550 GB of data from The Big Issue, a UK-based street newspaper.
- Gilmer County officials in March posted an announcement on the county website confirming a ransomware attack on its systems.
- NHS Scotland on Wednesday confirmed a March 15, 2024 ransomware attack and data breach perpetrated by Inc Ransom.
- Wholesale food distributor International Gourmet Foods confirmed (PDF) a ransomware attack that affected the personal information of past and current employees.
- The town of Huntsville, Canada is currently investigating a cyber attack that took place in March.
- St. Cloud, Florida officials in March confirmed a ransomware attack affecting city services. No hacking groups have claimed responsibility yet.
- Southwest Boston Senior Services, Inc dba Ethos notified customers last Friday about a data breach affecting 13,418 people.
Most of the above attacks have been confirmed by victims, but many ransomware groups claim attacks that haven’t been confirmed yet. So far in 2024, we’ve logged 939 unconfirmed attacks:
- 836 attacks on businesses
- 29 attacks on schools and education
- 16 attacks on government agencies
- 58 attacks on hospitals and healthcare
The 2024 NCC Group Annual Cyber Threat Report says that the US is taking the brunt of ransomware attacks. It found that 50% of attacks were levied at US businesses and organizations. Elsewhere, Europe (28%), and Asia (10%) remained the second and third most targeted regions.
Ransomware attacks in the US: Q1 2024
In Q1 of 2024, we tracked 63 confirmed ransomware attacks affecting 17.1 million records. This breaks down as:
- 32 attacks on businesses, affecting 17,059,205 records
- 7 attacks on schools and education, affecting 8,797 records
- 17 attacks on government agencies, affecting 48,949 records (higher than the 10,592 breached in Q1 2023)
- 7 attacks on hospitals and healthcare (no records confirmed yet)
LockBit boasted the most confirmed attacks in Q1 2024 (8), followed by Medusa (6), and ALPHV/BlackCat (5), and Black Basta (5).
The average ransom demand across all industries was $1.4 million.
We have also logged 483 unconfirmed attacks:
- 406 attacks on businesses
- 22 attacks on schools and education
- 8 attacks on government agencies
- 47 attacks on hospitals and healthcare