Ransomware, Threat Intelligence

Victims of cyber extortion and ransomware increase in 2024

A detailed digital illustration of a skull and virus icons on a red code screen, symbolizing cyber threats, hacking, and digital security breaches.

Editor's Note: This article originally appeared on sister publication SC Media UK.

More than 4,000 new victims of ransomware were recorded over the past 12 months.

According to research by Orange Cyberdefense, there was a 77% year-on-year growth from 2023 with 4,374 new victims detected in 75% of countries monitored. In the first quarter of 2024, there were 1,046 victims hit by 43 different threat actors.

Speaking at a launch event last week in Antwerp for the Cy-Xplorer 2024 report, Simen van der Perre, Belgium strategic advisor at Orange Cyberdefense, said these victims are recorded by monitoring leak sites, mostly on the dark web, and most victims are put on these leak sites for not having paid a ransom.

“The extortionists put them on the leak side to raise pressure on negotiations or just to get the money,” he said.

Opportunistic hits

The researchers found that there is a more opportunistic approach for most threat groups when it comes to targeting victims, and as a result, small businesses with fewer than 1,000 employees are four times more likely to be impacted by attackers than medium and large businesses.

Van der Perre said targeting is mainly done by victim variables, such as who is the most vulnerable, who didn't work well on their cybersecurity hygiene and best practices, and who did not train their users very well.

“These small organizations, they usually don't have the same type of budget as medium and large ones so they are probably more vulnerable,” he said. “They do not have the funds to invest in cybersecurity hygiene and training. Also threat actors are quite opportunistic.”

Repeat victims

The research also determined over 200 occurrences of “re-victimization,” with 39 of these instances spotted in Q1 2024. Researchers found some victims posted up to three times on a dedicated leak site.

Typically a re-victimization occurs when a victim is hit by a second cyberattack, the data has been sold or leaked on a website, or access has been sold to a different operator. Diana Selck-Paulsson, global lead security researcher at Orange Cyberdefense, said 200 occurrences of re-victimization were detected — from 11,000 total victims — by searching on victim’s names, while some names showed up three times.

“We find this very problematic because we can't know for sure whether or not this is a completely new compromise, but for the victim it's going to be horrific because the business needs to now check and be capable of checking whether or not another compromise has occurred,” Selck-Paulsson said.

She also said that the company only began tracking re-victimization in 2020, but the trend really began in 2023, and the largest detection of re-victimization was in Q1 2024.

With half of re-victimisations happening within 80 days to 302 days, the research believed this is often due to attackers moving between ransomware groups, where the victim may have been hit by two ransomware attacks.

Selck-Paulsson said this could be about increasing the pressure on the victim as they had not complied with any ransom demands. “We do think that after 634 days, or the longer time has passed, it is more likely that we see two or three different brands involved in re-victimization,” she said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.