2024 Ransomware Activity: A Year in Review
Below is a comprehensive, in-depth review of ransomware data leak site (DLS) activity in 2024, incorporating the latest findings from Analyst1’s “2024 Ransomware Extortion Activity: A Year in Review” as well as additional publicly available threat intelligence. We will explore the surge in ransomware-related “claims,” highlight how attackers leverage double extortion tactics, discuss the most active threat groups, and provide best practices for organizations facing extortion attempts.

1. Introduction: The Landscape of Ransomware in 2024
Ransomware has remained one of the most consistent and disruptive cybersecurity threats worldwide, with notable evolution in both technique and scope. The year 2024 observed a 13% increase in ransomware “claims” compared to 2023, indicating that adversaries have not slowed—and may even be refining their methods to maximize impact and profit. While traditional file encryption attacks continue to occur, threat actors’ reliance on double extortion, where data exfiltration is leveraged to force payment, has reached a near-universal adoption rate among the most prolific ransomware groups.
The distinction between a “claim” and an “attack” is significant. Throughout this analysis, “claim” is defined as an incident in which a victim organization’s name appears on a group’s data leak site. This is not always synonymous with a confirmed attack, as certain groups publicize victims that they have not fully compromised or data they have not truly exfiltrated, both to inflate their reputations and to instill fear. Yet these listings on data leak sites (DLS) remain critical indicators of a threat actor’s activities and targeting patterns.
2. Ransomware Extortion Tactics: Double Extortion Takes Center Stage
2.1 Double Extortion Becomes Standard
In 2024, the use of double extortion has become the rule rather than the exception. Instead of merely encrypting files and demanding a ransom for a decryption key, attackers also threaten to publish sensitive data on their DLS. Such public “naming and shaming” tactics heighten the pressure on victim organizations to pay, out of fear of reputational harm, regulatory penalties, or the competitive disadvantage that data leaks can bring.
2.2 Leveraging Legal Frameworks
Ransomware actors increasingly cite data protection regulations—particularly the EU’s General Data Protection Regulation (GDPR)—within their ransom notes, effectively weaponizing the very compliance laws intended to protect consumers. For instance, groups like RansomHub have threatened European entities by pointing out the steep fines and legal consequences that can arise from a data breach under GDPR. This approach underscores the sophisticated psychological tactics used to coerce victims into paying ransoms promptly.
2.3 Cross-Claims and Multiple Extortions
In a more recent development, some victims are finding themselves claimed by multiple groups, a phenomenon known as “cross-claims.” Whether these threat actors are collaborating or simply piggybacking on an existing intrusion, the result is confusion for victims and a potential doubling—or even tripling—of extortion demands. Such cross-claims pose unique challenges for incident responders, who must carefully verify the authenticity of each claim to avoid succumbing to inflated or fraudulent ransom demands.
3. Top Threat Groups of 2024: Analysis of the Pie Chart
According to data from eCrime.ch and summarized by Analyst1, 75% of the total claims in 2024 can be attributed to just 20 ransomware groups. Two groups in particular—RansomHub and LockBit 3.0—dominate the landscape, each holding an estimated 10% share of publicized claims.
- RansomHub (10%)
- Known for its brazen references to GDPR, RansomHub’s operational focus seems to include both major global corporations and smaller, regionally based entities.
- The group leverages a strong social-media-style presence on its DLS, updating victim listings regularly to keep the pressure on.
- LockBit 3.0 (10%)
- Evolving from earlier versions, LockBit 3.0 remains highly active in large-scale campaigns.
- Renowned for its “Ransomware-as-a-Service” (RaaS) model, LockBit affiliates have targeted sectors ranging from healthcare to manufacturing.
- PLAV (7%)
- Relatively newer but quickly rising, PLAV capitalizes on the success of RaaS programs, attracting affiliates that prioritize automated exploitation tools for speed.
- Akira (6%)
- Akira has showcased a strong presence in both North America and parts of Europe.
- The group’s DLS is known for listing victims quickly, often within days of compromise.
- Hunters International (3%)
- Specializes in focusing on high-profile, multinational targets.
- Known to use targeted phishing campaigns and zero-day exploits to gain initial access.
- BlackBasta (4%), Medusa (4%), BianLian (3%), and others
- Each of these groups has developed specialized tactics and tools, often aiming for sectors with compliance-driven responsibilities (e.g., healthcare, finance).
- Other Groups (25%)
- A wide range of smaller groups or newly formed collectives, representing a significant portion of the remaining threat landscape.
- These groups can emerge and disband quickly, complicating tracking efforts.
4. Regional Impact: A Focus on the United States
The United States continues to bear the brunt of ransomware extortion claims, accounting for 51% of all victim listings. While U.S. organizations often invest heavily in cybersecurity, they remain prime targets due to:
- Data Value: U.S. companies frequently handle large volumes of high-value data.
- Paying History: Attackers perceive many U.S. organizations (especially mid-sized ones with limited cybersecurity budgets) as more likely to pay a ransom to resume operations quickly.
- Broad Attack Surface: Large infrastructure networks, remote work environments, and the prevalence of legacy systems in certain sectors offer ample opportunities for exploitation.
Although Europe, Asia, and Latin America also see significant ransomware activity, the U.S. stands out in terms of overall volume, likely due to the high density of viable targets and the complexity of regulatory frameworks that make data leaks even more damaging.
5. Beyond Encryption: Key Challenges in Ransomware Response
5.1 Cross-Claims and Data Recycling
As mentioned, multiple threat actors can claim the same victim to maximize payouts. In some scenarios, attackers use recycled or partial data from previous breaches to extort organizations a second or third time. This repeated extortion intensifies risk for companies that may have believed their previous incidents were fully resolved.
5.2 Reputational Damage and Psychological Pressure
Even if a victim organization can mitigate the technical aspects of an attack, the psychological pressure exerted by DLS postings should not be underestimated. Reputational harm can be immediate, affecting stakeholder trust, stock prices, and future revenue.
5.3 Regulatory Compliance Nightmares
In nations or regions governed by stringent data protection laws such as GDPR or the California Consumer Privacy Act (CCPA), failing to protect sensitive information or notify authorities promptly can lead to severe financial and legal penalties. Ransomware groups exploit these obligations in their negotiations, noting that a leak will invariably draw regulatory scrutiny.
6. Recommendations and Best Practices
Responding to ransomware in 2024 requires a multifaceted strategy that addresses not only the technical recovery process but also the legal, financial, and reputational dimensions of an extortion event.
- Recognize Potential Collaboration
Threat actors may share stolen data or collaboratively victimize the same organization. Incident responders must remain vigilant, adopting a unified, intelligence-driven approach that cross-references possible adversary overlap. - Employ Rigorous Validation Processes
Do not assume a single ransom note or DLS claim tells the entire story. Carefully assess the authenticity of an actor’s data samples, verifying whether the breach actually occurred and, if so, to what extent. - Mitigate Recycled Data Risks
Adversaries often try to extort organizations with old or partially outdated data. Continuous monitoring of dark-web forums and known data leak channels can help detect if previously compromised data has resurfaced. - Address Operational and Reputational Threats
An effective response plan incorporates communications strategies to manage public relations, shareholder updates, and any required regulatory notifications. If your organization has international operations, ascertain how data-protection laws in each relevant jurisdiction may influence your response. - Monitor Geopolitical Influences
Ransomware groups may alter targets based on macroeconomic or geopolitical changes. Staying informed of global events—especially those affecting critical industries—helps anticipate shifts in adversarial activity. - Invest in Prevention and Preparedness
- Security Training: Regularly train employees to recognize phishing attempts.
- Network Segmentation: Limit the blast radius of a successful intrusion.
- Encrypted Backups: Maintain offline and protected backups to reduce reliance on decryption keys provided by attackers.
- Incident Response Drills: Conduct tabletop exercises that simulate ransomware attacks, including double extortion and cross-claim scenarios.
7. Conclusion
The 2024 ransomware landscape underscores a persistent, evolving threat—where double extortion is now the norm, sophisticated psychological tactics are applied, and threat actors opportunistically inflate their standing through cross-claims and recycled data. Although there was a 13% uptick in the number of claims compared to 2023, organizations that adopt a rigorous, intelligence-led, and multidisciplinary approach to defense and response are better positioned to mitigate operational disruptions and financial fallout.
Ultimately, successful ransomware defense and response hinge on preparation, collaboration, and vigilance. By recognizing the realities of cross-claims, validating threat actor assertions, and maintaining robust data protection practices, organizations can take proactive steps toward resilience in the face of this ever-present cyber menace.