The 2024 State of Ransomware Report from BlackFog provides an analysis of global ransomware activity from both publicly disclosed and non-disclosed attacks, revealing that ransomware incidents reached record levels in 2024. The report highlights new ransomware groups, new variants and an increase in attack volume to emphasize the threat of ransomware. 

The most prominent ransomware groups included LockBit and RansomHub. LockBit was the most active in 2024, with 603 victims impacted. The group’s busiest month was May (around 200 attacks enacted), and they accounted for 36% of all attacks in the month. RansomHub emerged in February 2024 and amassed 586 victims. These targets include entities in government and the global manufacturing sector. 

Newcomer variants saw a 65% increase from 2023, with 48 groups emerging. 44 of these variants were responsible for 32% of the undisclosed incidents in 2024. Groups debuting in 2024 accounted for more than half of the attacks in November 2024 and December 2024. 

The most targeted sectors (when considering disclosed attacks) were healthcare, government and education. Compared to 2023, healthcare faced a 20% increase and government saw 15%. However, education decreased by 10%. For undisclosed attacks, the top sectors were manufacturing (17.6%), services (12.2%) and technology (9.7%). 

Data exfiltration reached a record high at 94%. The report asserts that data exfiltration is now a key component of ransomware, as malicious actors are more frequently combining data encryption and data theft, then ransoming the sensitive information.