State of the Underground 2024: U.S. targeted for ransomware more than the rest of the world combined

Ransomware is a worldwide problem, with no country or organization safe from potential attacks. At the same time, a limited number of threat actor groups are launching most of the attacks, concentrating on a limited number of countries.

That’s what Cybersixgill researchers found in compiling a ransomware analysis in our State of the Underground 2024 report. We discovered – not surprisingly – that the attackers primarily go after countries with sizable economies. As Depression-era American crime figure Willie Sutton allegedly quipped when asked why he robbed banks, “Because that’s where the money is.” 

Our research showed that the United States was by far the leading target of ransomware attacks in 2023: A full 56% of worldwide attacks were directed against U.S. targets. The No. 2 target – Great Britain – represented only 5% of all attacks. Rounding out the top five were Germany (4%), Canada (2%), and France (2%). The rest of the world made up the remaining 31%.

5 ransomware groups linked to most of the attacks

Similarly, 65% of all ransomware attacks were executed by just five ransomware groups:

• LockBit

• CLOp

• ALPHV

• BlackBasta

• Vice Society

Additionally, 80% of ransomware attacks were executed by just 10 groups, reflecting what seems to be a consolidation of ransomware organizations. In 2022, we identified 62 ransomware associations. In 2023, that number dropped to 43 – a decline of more than 30%. Nonetheless, these ransomware organizations managed to generate much higher payouts in 2023 than 2022. The average cost of a ransomware attack in 2023 was $1.54 million compared to $812,000 the prior year – even though the number of attacks dropped by 9%.

Ransomware attacks target large organizations

The names of ransomware victims suggest why high payouts could be extracted. Among the prominent victims were T-Mobile, Putnam Investments, the energy giant Shell, Toyota Financial Services, Deloitte, Siemens Energy, Boeing, and the BBC. 

One of the top five ransomware groups, a Russian-language cybercriminal gang called CL0p, is said to be a “big game hunter.” They target large organizations and demand ransomware payments in exchange for decrypting and returning stolen data. Similarly, the leading ransomware organization in 2023, LockBit, targeted large organizations in such sectors as construction, manufacturing/industrial, retail, insurance, banking/financial services, education, and IT. Since our report was published earlier this year, LockBit has been hit hard by aggressive law enforcement efforts and appeared to be out of business. Recently, its members seem to have resurrected the organization, although its future remains unclear.

But even the permanent demise of LockBit wouldn’t necessarily affect worldwide ransomware attacks, judging by history. One of the top five groups we identified, ALPHV, is thought to be a successor to the defunct REvil gang. Law enforcement agencies were able to disrupt ALPHV’s activities by seizing websites belonging to the group, but the group appears to be continuing to operate nonetheless.

Smaller entities are attacked, too

Taking a different approach than the other top five ransomware gangs is BlackBasta, a group that first appeared in early 2022. Using a ransomware-as-a-service model and double-extortion tactics, they prefer to go after companies with revenues ranging from $10 million to $50 million. Their victims tend to be in healthcare, wholesale trade, real estate, and legal services – organizations that rely on minimal service downtime and handle significant amounts of third-party data. While they may have less revenue at their disposal, they need to resolve ransomware demands quickly and thus may be more likely to pay.

Rounding out the top five is Vice Society, which focuses attacks on educational and research institutions in the U.S., Canada, and the UK. 

We should note that in our increasingly interdependent world, organizations are not easily isolated by geography and industrial sectors. Indeed, just a casual perusal of the names of the large companies listed as ransomware victims shows that they’re multinational organizations with complex mixes of products, services, and suppliers. 

And the unfortunate reality is that ransomware groups quickly adapt to new pressures and find new methods and victims for their criminal activities. The watchword is that no matter where your organization is located or what its function is, your security team will need to keep your cybersecurity tools and processes well-tuned and ready to respond.

To learn more about ransomware trends and other threats, watch our on-demand webinar detailing our findings from the State of the Underground 2024 . To understand how Cybersixgill helps organizations deal with the continuing threat of ransomware, schedule a demonstration.