Throughout 2024, law enforcement agencies worldwide intensified their fight against cybercrime, leading to significant arrests and takedowns of major cybercriminal groups. Q4 alone saw a substantial flurry of actions. On Oct. 1, 2024, authorities arrested four individuals linked to the notorious LockBit ransomware gang, including a developer, a bulletproof hosting service administrator, and two other affiliates. This followed formal sanctions imposed by the U.S. Treasury Department on LockBit members, marking a major step in disrupting the group’s global operations. Later in the month, on Oct. 28, Dutch law enforcement executed Operation Magnus, successfully seizing the infrastructure of Redline and Meta Infostealer, two malware-as-a-service platforms used to steal sensitive credentials.
In November, multiple high-profile arrests took place. On Nov. 4, Canadian authorities apprehended a suspect responsible for the Snowflake data breach, a major cybersecurity incident. Shortly after, on Nov. 18, 42-year-old Evgenii Ptitsyn, linked to the Phobos ransomware variant, was extradited from South Korea to the United States to face charges. Later that month, Operation Serengeti dismantled a massive cybercrime network in Africa, leading to the arrest of over 1,000 individuals involved in various online fraud and hacking schemes. The fight against ransomware continued, with new indictments announced on Nov. 30 against multiple members of Scattered Spider, a notorious cybercriminal group.
Law enforcement actions extended to non-NATO countries as well with authorities arresting a well known ransomware actor named Wazawaka on Nov. 29. Wazawaka was known for ties to multiple ransomware gangs. Meanwhile, on Dec. 5, U.S. authorities arrested Remington Goy Ogletree, a 19-year-old from Texas, marking the seventh arrest of a Scattered Spider member. Later in the month, on Dec. 19, a Romanian national was sentenced to 20 years in prison for his role in the Netwalker ransomware operation. The year ended with another significant arrest — on Dec. 31, a U.S. soldier was taken into custody for allegedly hacking AT&T and Verizon systems.
The crackdown on cybercrime continues into 2025, with the UK government proposing a public sector ban on ransom payments on Jan. 14. As this report went to press, a massive takedown of the ‘Cracked and Null’ marketplaces was announced, showcasing the ability, and complexity associated with coordinating a global, multijurisdictional action. These moves will discourage ransomware attacks by eliminating financial incentives for cybercriminals.
These coordinated efforts highlight a growing international commitment to dismantling cybercriminal networks and holding perpetrators accountable. Maintaining pressure on cybercriminals is crucial, as each arrest, indictment, and infrastructure takedown imposes mounting costs and increases the risks for those engaged in cybercrime. Every successful law enforcement action disrupts criminal operations, forces hackers to abandon established networks, and undermines the trust within cybercriminal communities. The growing number of arrests and extraditions sends a strong message that cybercriminals are not beyond the reach of justice, even if they operate across borders. Moreover, dismantling ransomware-as-a-service platforms and ransomware gangs makes it harder for new actors to enter the cybercrime ecosystem, raising the financial and operational barriers to entry. As law enforcement agencies continue to refine their investigative techniques, collaborate internationally, and leverage new technologies, the risk of exposure and prosecution grows for cybercriminals. This ongoing pressure not only deters potential offenders but also weakens the profitability of cybercrime, making it a more dangerous and less attractive enterprise.
As the Trump administration takes office, it is critical to maintain robust funding for law enforcement agencies combating cybercrime while ensuring continuity in personnel. Cybercriminal networks operate on a global scale, often with sophisticated infrastructure and rapidly evolving tactics. Investigations into these threats require long-term commitment, advanced technical expertise, and strong international cooperation — all of which depend on stable funding and experienced personnel. High turnover within agencies like the FBI, Secret Service, and international cybercrime task forces can significantly slow the pace of investigations, as new agents must build relationships, develop specialized skills, and gain institutional knowledge. By preserving the expertise of seasoned investigators and maintaining financial support for cybercrime-fighting initiatives, the administration can ensure that ongoing operations continue without disruption, maximizing the effectiveness of law enforcement efforts and keeping pressure on cybercriminals worldwide. If the new administration disrupts law enforcement operations via funding cuts and turnover, enterprises and governments worldwide will be less safe upon the following sunrise.
Average and Median Ransom Payment in Q4 2024
While outlier ransom payment amounts have the potential to skew the quarterly average ($553,959 in Q4 2024, +16% from Q3 2024), median payment amounts are more reliable indicators of where the market is trending. The median payment fell 45% in Q4 2024 to $110,890. Payments continue to remain primarily a last-resort option for those who have no alternative to recover critical data. Faulty decryption tools from both new and old ransomware strains and mounting distrust of threat actors’ ability to honor assurances compound to drive victims away from the table unless they have no other option.
Ransomware Case Outcomes in Q4 2024
The drop in the percentage of companies paying ransoms to an all-time low of 25% is a significant milestone in the fight against ransomware. It suggests that more organizations are improving their cybersecurity defenses, implementing better backup and recovery strategies, and refusing to fund cybercriminals. This decline may also indicate increased law enforcement efforts and stronger regulatory guidance discouraging ransom payments. By reducing the financial incentive for attackers, this trend will help weaken the overall ransomware economy and deter future attacks. Data exfiltration-only victims that paid a ransom rose to 41% in Q4 though these types of attacks are a smaller proportion of overall attacks than ones that involve encryption. The data suggests that encryption attacks are becoming relatively less successful as an extortion tactic, suggesting the enterprises are continuing to effectively harden and sustain their backup infrastructure through an incident.
Most common Ransomware Variants in Q4 2024
For the sixth consecutive quarter, Akira maintains its position as the most commonly observed variant (this time tied with Fog ransomware). Akira has seemingly managed to avoid the market fluctuations that impact other groups and whether or not it’s intentional, their general avoidance of the healthcare sector and critical infrastructure has kept them out of the headlines that have thrust other big game hunters into the media spotlight. Fog ransomware has swiftly ascended our rankings since their emergence in Q2-2024 to meet Akira at the number one spot. Like Akira, they have seemingly achieved this position not through the targeting of selective or highly public targets but through sheer volume and repetitive attack patterns, particularly in the small and medium enterprise market. Notably, lone wolf actors (both encryption focused and data-theft-only) continue to hold a firm position in the extortion market even though we are nearly a year out from the back-to-back collapses of two prominent Ransomware-as-a-Service (RaaS) groups. Lone actors seized a sizable slice of the market in Q1-2024 shortly after these high profile RaaS exits, which at the time highlighted the distrust affiliates had in the flawed RaaS model. While we somewhat expected the deterrence factor to wear off with time, our data has shown that lone wolves have held their position and largely continued to operate without group affiliation or infrastructure, rather than absorb the risks and inconsistent rewards associated with improperly run RaaS platforms.
| Rank | Ransomware Type | Market Share % | Change in Ranking from Q3 2024 |
| 1 | Akira | 11% | – |
| 1 | Fog | 11% | +2 |
| 2 | RansomHub | 8% | – |
| 3 | Lone Wolf | 8% | +1 |
| 4 | Medusa | 5% | New in Top Variants |
| 4 | BlackSuit | 5% | – |
| 5 | BianLian | 4% | New in Top Variants |
| 5 | Black Basta | 4% | New in Top Variants |
Most Common Ransomware Attack Vectors in Q4 2024
Threat actors are constantly refining their tactics, leveraging AI, SEO manipulation, and advanced social engineering to enhance remote access compromises and phishing attacks, making them more sophisticated and difficult to detect.
Phishing remains a primary attack vector, increasingly exploiting human behavior and expanding beyond traditional email-based schemes. AI-driven phishing and SEO poisoning make attacks more deceptive, while callback phishing lures victims into calling fraudulent support lines and installing remote assistance software to extract data. Spam campaigns by Black Basta impersonate IT support through Teams messages to gain unauthorized access. SEO poisoning by groups like Qilin misdirects users into downloading malicious software, while vishing (voice phishing) by RansomHub uses spoofed numbers to steal VPN credentials and bypass MFA. Attackers also employ SMS phishing (smishing) and fraudulent social media interactions to trick users into divulging sensitive information or installing malware.
Remote access compromise, often initiated through phishing, remains a critical threat. VPNs are frequent targets, exploited through vulnerabilities in Ivanti and Fortinet, stolen credentials from infostealers, or brute force attacks. Initial access brokers often prioritize these credentials for ransomware groups before selling them on underground markets, reinforcing the need for phishing-resistant MFA beyond SMS or email. Meanwhile, zero-day and unpatched vulnerabilities continue to be exploited before patches are applied. Cl0p recently targeted flaws in the Cleo file transfer tool, while nation-state actors have focused on Ivanti VPN weaknesses. Slow remediation cycles, public exploit kits, and patch management challenges leave high-severity CVEs open to widespread exploitation.
Exfiltration [TA0010]: In Q4-2024, Exfiltration reclaimed the top spot among MITRE ATT&CK tactics, appearing in 87% of observed cases (an increase from 76%) and ranking #1 in three of the four quarters for the full year. It remained a central component of ransomware operations, either as a precursor to encryption-based attacks or as the sole objective.
Lateral Movement [TA0008]: Lateral Movement fell to second place at 74% (down from 84%), largely driven by the use of remote services such as Remote Desktop Protocol (RDP) and secure shell (SSH), along with lateral tool transfer via PSExec. This tactic remains a key phase in nearly every attack, as adversaries move deeper into compromised environments following initial access. SSH is a common method of connecting to virtualized infrastructure such as VMware ESXi to conduct encryption attacks on the hosts.
Impact [TA0040]: Impact held steady at number three for the third consecutive quarter at 45% (down from 58%). However, this ranking understates its true significance, as confirmed data encryption was present in 85% of our Q4 cases. Much of this was driven by ESXi encryption, which remains difficult to track through forensic analysis due to attackers locking administrators out of the ESXi console via password tampering. In many cases, victims were forced to reinstall ESXi to access datastores for recovery, which wiped forensic artifacts in the process. Additionally, low ransom payment rates further complicate data collection, as organizations often bypass post-attack forensic efforts when payments are not made.
Discovery [TA0007]: Discovery re-emerged in the Top 5 at 39%, highlighting the continued use of various tools to conduct reconnaissance and map out victim networks. Even as dwell times decrease, the discovery phase remains the best opportunity to detect and stop an attack before it escalates. Threat actors commonly use tools like AdFind, BloodHound, and network scanners like Softperfect to map out environments, often as part of initial reconnaissance before selling access on the dark web or launching further attacks. Identifying and disrupting this activity early can prevent significant damage, but many organizations miss these warning signs, allowing attackers to establish a foothold and escalate their operations.
Collection [TA0009] also entered the Top 5 for the first time, also at 39%, driven by the addition of keylogging and screen capture techniques. These methods, along with archival tools used to package exfiltrated data before transfer, highlight the increasing sophistication of data theft tactics.
Most Common Industries Impacted by Ransomware in Q4 2024
Size distribution of Companies Impacted by Ransomware in Q4 2024
Ransomware attacks predominantly target mid-sized companies, with businesses ranging from 101 to 1,000 employees experiencing the highest impact at 41.53% of reported incidents. Companies with 11 to 100 employees follow closely, accounting for 29.66% of attacks. Larger enterprises with 1,001 to 10,000 employees also face a significant share at 16.10%. In contrast, very small businesses with fewer than 10 employees and large corporations with over 50,000 employees experience fewer attacks, making up only a small percentage of the total cases. This trend suggests that mid-sized organizations may be particularly vulnerable, possibly due to having valuable data (for use in data theft) while lacking the robust cybersecurity defenses of larger enterprises.
The post Will Law Enforcement Success Against Ransomware Continue in 2025? appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/PNrwXhY
Share this content: