Ransomware criminals in 2024 stooped to new lows and high-level black hat trade craft. Targets included critical industries such as healthcare, public infrastructure, and the cloud.
Notable was the rise of ransomware-as-a-service (RaaS), allowing a new class of rookie attackers to perpetrate devastating campaigns. Meanwhile nation-state actors transformed ransomware into a tool for geopolitical weapon. This year in ransomware underscored the challenges cybersecurity professionals face and costly consequences.
This year’s attacks underscore that ransomware is no longer just an IT issue — it is a threat to lives, economies, and national security. The following examples show the devastating consequences of even a single attack, from halting patient care to undermining infrastructure and funding geopolitical adversaries.
With projected costs reaching $265 billion annually by 2031, understanding trends revealed in 2024 ransomware incidents is critical to staying ahead of future attacker.
(Editor’s Note: See The State of Ransomware 2024)
Top attacks of 2024
One of the most devastating attacks of the year hit Change Healthcare, a key player in the U.S. healthcare system. The BlackCat/ALPHV ransomware group exploited poorly secured remote access servers, gaining entry to systems without multifactor authentication (MFA).
Over 100 million patient records were exposed in the Change Healthcare attack, including names, Social Security numbers, and treatment details. The attack caused chaos across UnitedHealth’s vast network, halting operations at clinics, disrupting prescription processing, and delaying critical surgeries. Facing mounting pressure to restore services, Change Healthcare paid a staggering $22 million ransom.
As Toby Gouker, chief security officer at First Health Advisory, warned: “At the current rate of healthcare breaches, it will soon be easier for patients to check the dark web for their medical records than to ask a doctor.”
Another major healthcare breach involved Ascension Health, a network of 140 hospitals. Black Basta attackers infiltrated systems in February but weren’t detected until May, giving them months to exfiltrate sensitive medical records, payment data, and Social Security numbers.
When the attack was discovered, Ascension hospitals were forced to operate without electronic health records, using paper charts to manage patients, significantly impacting care delivery. This highlighted the vulnerabilities within healthcare systems and their inability to endure extended downtime.
Outside healthcare, ransomware demonstrated its potential to paralyze critical infrastructure. At the Port of Seattle, attackers disrupted port operations in September, affecting shipping schedules and supply chains across the Pacific Northwest. Similarly, the Pittsburgh Regional Transit attack in December caused transit services to grind to a halt, leaving thousands of commuters stranded. These incidents underscored the growing focus of ransomware gangs on infrastructure systems that directly impact public life
The European Space Agency’s online store became another high-profile victim when cybercriminals embedded malicious scripts that redirected users to a fake payment page. Customers unknowingly provided their payment card details, which were then stolen. While this attack didn’t disrupt space exploration, it exposed how integrated systems — like online stores linked to larger organizations — can become entry points for attackers.
On the geopolitical stage, ransomware became a tool of economic warfare. The North Korean-linked Lazarus Group orchestrated a $308 million cryptocurrency heist from Japan’s DMM Bitcoin exchange. They used social engineering tactics, including impersonating a LinkedIn recruiter, to gain access to internal systems and hijack a financial transaction. The stolen funds reportedly supported North Korea’s weapons programs, demonstrating how ransomware can serve nation-state goals.
The collapse of LockBit, following the arrest of its leader Dmitry Yuryevich Khoroshev, disrupted one of the most prolific ransomware groups. However, RansomHub quickly filled the void, launching sophisticated campaigns against nearly 500 organizations, including Halliburton and Kawasaki Europe. This group used “living off the land” techniques, leveraging legitimate tools within victim environments to avoid detection, and targeted both Linux and Windows systems.
Any look back on 2024 would be incomplete without noting the impact of generative AI playing a mammoth role as both ally and adversary when it comes to ransomware.
The misuse of generative AI tools has enabled cybercriminals to automate and enhance the sophistication of their attacks. AI-driven phishing campaigns and the rapid development of malware have outpaced traditional defense mechanisms, challenging cybersecurity professionals to adapt to this evolving threat landscape.
2024 predictions: What did we get right and what we didn’t see coming
Cybersecurity analysts in 2023 had warned of a rise in ransomware attacks powered by increasingly sophisticated tactics, and 2024 proved them right.
Double extortion, where attackers steal data before encrypting it, was one of the most widely used strategies this year. The role of RaaS also expanded as predicted. Groups like RansomHub dominated headlines, executing nearly 500 attacks and demanding ransoms exceeding $5 million on average. The targeting of critical infrastructure, particularly healthcare, was another forecasted trend.
This past year also brought several unexpected developments that challenged existing assumptions about ransomware trends.
One of the biggest surprises was the drop in attack frequency in certain sectors, including state and local governments. According to Sophos, 34% of these organizations reported ransomware incidents in 2024, compared to 69% the previous year. But while fewer attacks were recorded, the ones that did occur were far more severe, with encryption rates jumping from 76% in 2023 to 98% in 2024. This trend suggests attackers are focusing on higher-impact operations rather than sheer volume.
Recovery costs were another unforeseen challenge. The average cost of recovering from a ransomware attack reached $3 million for incidents involving system vulnerabilities, four times higher than recovery costs for credential-based breaches. This spike in costs reflects the growing sophistication of attackers, who now focus on causing maximum disruption and making recovery as expensive as possible.
Perhaps the most alarming surprise was the extent to which nation-states weaponized ransomware. North Korea’s Lazarus Group executed a $308 million cryptocurrency heist against Japan’s DMM Bitcoin exchange, using advanced social engineering tactics to breach enterprise wallet systems. Such operations blur the line between cybercrime and cyberwarfare, adding a geopolitical dimension to the ransomware threat.
Ransomware 2024: Lessons learned
Despite setbacks and defeats, the year in ransomware offered valuable takeaways.
The need for resilience is one and so is the need for organizations must adopt zero-trust architectures, strengthen continuous monitoring, and ensure robust incident response plans are in place.
Collaboration between cybersecurity professionals is also critical. Public-private partnerships and international cooperation are essential to combating the increasingly industrialized ransomware ecosystem.
Finally, defenders must adapt to the growing use of generative AI in ransomware campaigns. AI-driven phishing and malware development are outpacing traditional defenses, requiring cybersecurity teams to integrate AI into their detection and response strategies.
The events of 2024 serve as a reminder that ransomware is not just a persistent threat but an evolving one. Let’s focus less on 2025 predictions and make sure the lessons of 2024 inform our approach to ransomware in 2025 and beyond.
