That was the attitude of many security pros and technology and business leaders regarding the topic of ransomware as we began this new year. After years of relentless attacks, since the 2019 ransomware surge that hit state and local governments hard, and major cyber attacks on critical infrastructure after that, cyber teams are now worn down and in some cases fearing budget cuts.
Trouble is, the bad actors didn’t get the memo, and their recent actions have already announced to the world, "We’re back … ."
2025 GLOBAL RANSOMWARE INCIDENTS
According to BlackFog’s State of Ransomware 2025 website: “We kicked off 2025 with a record-breaking 92 disclosed ransomware attacks in January, a 21% increase over last year and the highest we’ve recorded since we began tracking ransomware back in 2020. We counted 32 different ransomware groups behind the attacks, with RansomHub leading the way. Some of the bigger news stories included the Codefinger ransomware attack on AWS, the disruption caused to the education sector following a hack on Power Schools, and RansomHub’s claims involving MetLife.”
In addition, recent major security incidents in the past week at both the Cleveland Municipal Court and Anne Arundel County, Md., government seem likely to be ransomware attacks, but those cyber attack details have not been formally reported yet.
Here are some of the other recent ransomware attacks being highlighted by news organizations around the world:
"Ransomware group claims to have stolen patient information from Australian fertility clinic": “A ransomware group has claimed responsibility for stealing highly confidential patient information from an Australian fertility clinic.”
"FBI warns a cyber attack under way and you should back up your data": “A Feb. 19 alert from the Cybersecurity and Infrastructure Security Agency and the FBI said threat actors known as “Ghost” are conducting ransomware attacks on multiple targets in more than 70 countries. Believed to be working out of China, Forbes reported the groupgoes by many names, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada and Rapture.”
"Southern Water says Black Basta ransomware attack cost £4.5M in expenses": “United Kingdom water supplier Southern Water has disclosed that it incurred costs of £4.5 million ($5.7M) due to a cyberattack it suffered in February 2024. Southern Water is a private utility company in southern England, providing water services to 2.7 million customers and wastewater services to over 4.7 million customers across Kent, Sussex, Hampshire, and the Isle of Wight.”
AN IN-DEPTH LOOK AT RANSOMWARE IN 2024
One of my go-to, trusted annual ransomware reports comes from BlackFog Inc. Their State of Ransomware Annual Report is always an excellent read for security pros. Here are some of the ransomware highlights from 2024:
- 32 percent of undisclosed attacks came from 48 new variants
- 47 percent targeted health care, government and education
- 94 percent involved data exfiltration
- 603 victims made LockBit the top variant
- Retail: a rise of 96 percent year over year
- Services: a rise of 88 percent year over year
- Finance: a rise of 66 percent year over year
The report goes on:
“The top three sectors for undisclosed attacks were: manufacturing (17.6%), services (12.2%) and technology (9.7%).
"The findings reveal ransomware attacks reached record levels throughout 2024. LockBit, one of the most prominent ransomware gangs in recent years, remained the most active ransomware variant through 2024 affecting 603 victims. May was the busiest month, with nearly 200 attacks launched, accounting for 36% of all attacks that month. This surge followed news of the gang’s disbandment after its leader was unmasked earlier in the year.
"RansomHub, a newcomer to the scene in February 2024, was in second place, affecting 586 victims, including high-profile attacks on government entities and 78 victims in the global manufacturing sector. Although these industries have been heavily targeted, this group poses a significant threat to all organizations across the spectrum, with victims ranging from SMEs to large global corporations.
"In third place, the leading players varied by category. For disclosed incidents, financially motivated group Medusa accounted for 5%, with ransom demands by the group exceeding $40M. Play ransomware attacks made up 7% of undisclosed incidents with a total of 342."
I like this quote from Darren Williams, founder and CEO, BlackFog: “The focus in cybersecurity has traditionally focused on confronting the attacks head on. But as we can see from the new attack vectors, the emphasis should not be on the points of entry, but rather the points of exit. The role of data exfiltration is critical to protect an organization's most valuable asset, its data. Without data, you can render the attack moot and protect patient and organizational data from the inevitable ransom that follows.”
OTHER BLACKFOG RANSOMWARE REPORT HIGHLIGHTS OF INTEREST
According to BlackFog, the top five ransomware attacks in 2024 were:
1. Change Healthcare Ransomware Attack
2. CDK Global Ransomware Attack
3. Kawasaki Motors Europe Attack
4. Starbucks Supply Chain Disruption
5. NHS London Ransomware Attack
What about critical infrastructure attacks?
1. U.S. telecommunications breach
2. Water cyber attacks
- American Water (U.S.): The largest regulated water and wastewater utility company in the U.S. suffered a cyber attack that led to a temporary halt in billing operations. While water services remained unaffected, the incident underscored the vulnerabilities in essential services and prompted calls for enhanced cybersecurity measures in the water sector.
- Southern Water (U.K.): In February 2024, Southern Water reported a data breach that exposed personal and operational data. Hackers targeted the utility’s IT systems, gaining unauthorized access and compromising personal details of customers and employees.
- Texas Water Facility (U.S.): A water facility in Texas was targeted in a cyber attack that attempted to manipulate processes, suspected to involve Russian-linked hackers. This incident underscored the vulnerability of water utilities to sophisticated cyber threats.
- Arkansas City Water Treatment Facility (U.S.): In Kansas, a water treatment facility in Arkansas City suffered a cybersecurity incident and was switched to manual operations out of caution. This incident highlighted the need for robust cybersecurity measures in water utilities.
4. Transportation for London (TfL) Cyber Attack
5. Automotive Industry Cyber Attacks: The automotive sector saw a significant rise in cyber incidents, with 409 new cases reported in 2024, up from 295 in 2023. Ransomware attacks targeting the mobility sector contributed notably to this increase, raising concerns about vehicle security and the broader implications for transportation infrastructure.
WHAT CAN BE DONE?
Just a reminder that I have written about this topic at least annually for the past seven-plus years. Here are a few of those articles with tips and actions to consider.
- Ransomware Remains a ‘Brutal’ Threat in 2024
- Ransomware and Data Breaches: Impacts Continue to Grow Louder
- North Korea Attacks Health Sector With Maui Ransomware
FBI: How We Can Help You
CISA: Stop Ransomware Website (with Guide) and Stop Ransomware Alerts & Statements
U.K. NCSC: Mitigating malware and ransomware attacks
FINAL THOUGHTS
I started this blog the way that I did after speaking with several conference managers and events leaders from all over the world regarding cyber topics for upcoming events. The general sentiment is that “ransomware isn’t sexy anymore.” Or, “We did that last year (and the year before that, and the year before that).”
But the bad actors did not get that memo, and ransomware attacks continue to surge. This issue is not going away anytime soon. Rather, it remains a serious ongoing challenge for large enterprises, critical infrastructure, small governments, hospitals, K-12 educators and more.
More than one industry expert told me that most ransomware attacks no longer start with encrypting your data. They now exfiltrate your data first, and jump to extort money to “get your data back,” which is often already sold on the dark web. Sometimes, they later encrypt the data as well, but that is now the minority of cases.
One more helpful resource on ransomware with an expert panel discussion: There is a free upcoming CISO Insights webinar on March 11, 2025, called "Ransomware 3.0: Can Anything Stop These Bad Actors?"
So whether you call this ransomware 3.0, or some other new name, this is not your father’s ransomware. We need to pay attention and keep building lasting cyber defenses with incident response capabilities that are always ready to respond to the coming ransomware alarms that are sure to go off.
