Ransomware and Cyber Extortion in Q4 2024

"Akira" more than doubled its Q3 count and listed 71 organisations on data-leak sites in December alone.

Roughly 20% of the domains registered by Scattered Spider imitated Gateway and Network Infrastructure.

LockBit's victim count decreased from 176 in May 2024 to only five in December.

Approximately 15% of domains registered by Scattered Spider imitated VPN and Secure Access.

Newcomers in Q4 like “SafePay” and “FunkSec” quickly ramped up their activity, claiming 45 and 82 victims, respectively.

Ransomware attacks reached an all-time high in December 2024.

In Q4 2024, there was the highest jump of the year with 13 new ransomware groups emerging.

The median ransom payment rose from $199,000 in 2023 to $1,500,000 in 2024.

Nearly half of the 1,110 initial access listings collected in Q4 2024 were related to US-based companies.

"BlackLock" activity rose 1,425% from Q3 to Q4 2024.

Approximately 30% of domains registered by Scattered Spider imitated Single Sign-On (SSO) and Identity Providers.

30% of the domains registered by Scattered Spider imitated hosts for common services such as Binance and Coinbase.

25–30% of Scattered Spider domains targeted manufacturing companies.

Around 20% of domains registered by Scattered Spider imitated Help Desk and IT Support.

70% of the domains egistered by Scattered Spider imitated a specific organisation.

20–25% of Scattered Spider domains targeted finance and insurance companies.