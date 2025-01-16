4 min read
As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.
What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.
Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals are changing tactics, relying on AI technology, exploiting legal frameworks and more.
One of the most significant developments in the ransomware landscape has been the use of artificial intelligence (AI) to enhance phishing and social engineering attacks. Historically, phishing emails often contained obvious signs of fraud — misspelled words, poor grammar and generic messaging. However, new generative AI tools can craft highly personalized and professional-looking emails, which has drastically changed the game. This likely explains why phishing attack volumes and success rates have been rising since phishing campaigns are easier to generate and are more convincing than ever.
AI allows threat actors to mine vast amounts of data to craft convincing emails targeting specific individuals or organizations. These emails may contain contextual information that makes them seem legitimate, significantly increasing the likelihood of success. The ability to deliver such precise attacks is why ransomware has been particularly devastating to industries like healthcare, where any disruption can have life-threatening consequences.
Additionally, AI-generated deepfake technology has begun to play a role in social engineering. Cyber criminals can now create audio and video deepfakes of company executives to trick employees into transferring money or revealing sensitive information. This has made detecting fraud much harder, and organizations are finding it increasingly difficult to protect against such attacks.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Ransomware groups are not just relying on technical means to pressure victims into paying ransoms — they are also manipulating legal regulations to their advantage. One of the most striking developments in 2024 has been the weaponization of disclosure rules, specifically those issued by the U.S. Securities and Exchange Commission (SEC).
A recent high-profile case involved the ransomware group BlackCat/ALPHV filing a formal SEC complaint against a digital lending service provider. After exfiltrating the company’s files, the group allegedly reported to the SEC that the provider failed to comply with regulations that require organizations to disclose any cybersecurity incident within four business days. This added “legal” tactic was designed to pressure victims into paying the ransom to avoid financial penalties or reputational damage.
This disturbing incident shows that ransomware groups will use anything, even government regulations, as leverage. “Threat actors are using the regulations to put more pressure on the victims. This is quite an interesting trend,” said Ifigeneia Lella, a cybersecurity expert at the European Union Agency for Cybersecurity (ENISA). It is a chilling reminder that legal frameworks, while intended to protect the public and promote transparency, can be manipulated by bad actors to further their own malicious agendas.
As per the ENISA Threat Landscape 2024 report, the past year saw increasing use of “living-off-the-land” (LOTL) techniques by cyber criminals. LOTL attacks involve using tools and software that already exist within a victim’s system, making it harder for security teams to detect malicious activity. Instead of relying on external malware that can be flagged by antivirus software, attackers leverage legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) to execute their attacks.
For example, PLAY, a multi-extortion ransomware group, often uses off-the-shelf tools like Cobalt Strike, Empire and Mimikatz for discovery and lateral movement within a target’s network. By avoiding the introduction of new, suspicious software, attackers can evade detection for longer periods, often until it’s too late for the victim to respond effectively. This shift towards LOTL techniques represents an ongoing challenge for cybersecurity professionals, as traditional antivirus solutions are becoming less effective against these subtle attacks.
In addition to technological advancements, ransomware is increasingly being used as a weapon of geopolitical influence and hacktivism. Cyber criminals are no longer just motivated by financial gain; some are using malware to further political agendas, destabilize governments or create chaos in certain regions.
The ENISA report emphasized how geopolitical tensions are converging with ransomware attacks. For instance, during the Russia-Ukraine conflict, ransomware groups targeted critical infrastructure in Ukraine and other countries allied with Ukraine. These attacks weren’t necessarily financially motivated but rather politically driven. The aim was to disrupt national operations or cripple key sectors like energy, health care and transportation.
Hacktivist groups are also joining forces with ransomware gangs to push their own ideological goals. For example, attacks on public administration and transportation sectors have increased, often tied to specific political events or global movements. As cyber crime becomes more politicized, organizations and governments must recognize that ransomware is no longer just a financial threat but also a tool of disruption on the global stage. And given the increased geopolitical tensions across the globe, these types of attacks are increasingly common.
Despite global efforts to curb ransomware, the number of ransomware attacks continues to rise. According to the Ransomware Tracker, the number of victims posted on extortion sites spiked in May 2024 to 450, up from 328 in April, making it one of the most active months over the last few years.
Industries like healthcare, public administration, transportation and finance are among the most targeted. These sectors are particularly vulnerable due to their reliance on digital infrastructure and the severe consequences of operational downtime. For example, the U.S. Department of Health and Human Services reported a 256% increase in hacking-related breaches in healthcare over the past five years, underscoring the sector’s heightened vulnerability.
The financial impact of ransomware continues to grow in 2024, with costs extending beyond ransom payments. According to one industry report, the average recovery cost for ransomware victims in state and local governments is USD 2.73 million, more than double the amount reported in 2023. These costs include not only ransom payments but also expenses related to downtime, lost data, operational disruption and reputational damage.
The ransom demands themselves are also skyrocketing. The report states that the average ransom demand for state and local governments is now USD 3.3 million, with some demands exceeding USD 5 million. Globally, industries like healthcare, energy and education are seeing similar trends. Even worse, high ransom demands and significant recovery costs can cripple or even shut down smaller organizations.
The ransomware landscape in 2024 is one of increasing complexity. With AI-driven phishing campaigns, living-off-the-land techniques, the exploitation of legal frameworks and the merging of geopolitical tensions, the stakes have never been higher. However, advancements in AI cybersecurity tools and a growing awareness of these evolving tactics provide pathways for improving defenses.
As cyber criminals adapt and innovate, so too must cybersecurity professionals and organizations. Proactive measures like vulnerability management, employing robust backup strategies and investing in incident response capabilities are essential in combating this ever-present threat. Ransomware may continue to evolve, but so too can the tools and strategies used to fight it.