Arete, counter extortion services, and cyber risk management, released its 2024 Annual Crimeware Report, highlighting key trends and notable shifts in the cyber threat landscape. Arete identified and analysed notable trends and shifts throughout 2024, including the evolution of the threat landscape, the most commonly observed ransomware and extortion groups, trends in ransom demands and industries targeted, and what may be coming next.

Leveraging data collected from Arete’s response to ransomware and extortion attacks throughout 2024, the report explores data and insights from the frontlines of incident response, including median demands and payments, notable threat actor tactics, techniques, and procedures (TTPs), the most impacted industries, and frequently observed malware and tools.

Manufacturing was the most impacted sector in 2024, closely followed by Professional, Scientific, and Technical Services. Collectively, these two sectors accounted for more than 40% of the ransomware and extortion victims observed by Arete throughout the year. The Construction, Finance & Insurance, and Healthcare & Social Services industries rounded out the top five most impacted sectors for the year. This data is influenced by cyber insurance trends, Arete’s typical client profile, and threat actors’ interest in these particular sectors. Most ransomware and extortion activity observed in 2024 was opportunistic, meaning threat actors were not targeting one specific industry.

In 2024, the percentage of companies and organisations making ransom payments to cybercriminals continued to decline. Only 29% of ransomware and extortion victims made a payment to the threat actor in 2024, down from 32% in 2023. As organisations continue to improve their cybersecurity posture and recovery capabilities, threat actors come away empty-handed more often than not. However, the decrease in ransom payment percentage was not as sharp from 2023 to 2024 as it had been from 2022 to 2023, suggesting that while businesses and organisations are increasingly paying fewer ransoms for recovery or data suppression, the percentage of time a ransom is paid may eventually plateau.

Interestingly, Arete also observed that median demands and payments have remained largely stable year over year. Although median ransom demands fluctuated from quarter to quarter in 2024, the median was $500,000 over the entire year, which was the same amount observed for the entirety of 2023. Likewise, the median payment amount remained consistent over the past three years.

In 2024, threat actors remained largely opportunistic in attacks. The primary shift is that, year over year, organisations are increasingly adopting EDR and multi-factor authentication (MFA) to strengthen cyber resilience and prevent attacks.

“This report synthesises Arete’s frontline data from thousands of cyber engagements in 2024,” said Chris Martenson, Arete’s Chief Data Officer. “Using these unique insights, we will continue to protect our clients, inform our partners, and evolve our solutions to combat cyber extortion,” Martenson added.