05 February 2025

New analysis from Rapid7 has highlighted the increasing activity and sophistication of ransomware in 2024, with 75 active groups reported and a median ransom payment of US$200,000.

Christiaan Beek, Senior Director of Threat Analytics at Rapid7, said that leading ransomware groups such as RansomHub and Akira have been exploiting vulnerabilities and employing double and triple extortion tactics. The analysis reveals over 5,900 posts on leak sites, although actual incidents are thought to be higher due to unreported cases.

The report from Rapid7 emphasises the necessity for proactive security measures and international collaboration to mitigate this growing threat. It projects that ransomware damages could exceed US$380 million this year.

“While these numbers reflect public disclosures, many victims choose to negotiate privately, meaning the true scope could be significantly higher,” said Beek.
Among the most prolific ransomware groups, the Cl0p group was noted for exploiting vulnerabilities in Cleo file transfer software. Unlike other groups, Cl0p does not rely on encrypting victims’ data but uses leak sites for extortion, leaving their financial impact within the ransomware ecosystem opaque.

Financial analyses estimate potential revenues generated by these groups, considering a median payment of USD $200,000, with approximately 32% of victims choosing to pay. This suggests total payments in 2024 could easily surpass USD $380 million.

The report also documents trends such as the proliferation of groups, persistent dominance of major players, increased transparency from victims, and the rise of multi-stage extortion tactics.

Rapid7 advocates for strengthening resilience among organisations. Recommendations include preparing for multiple attack vectors, securing collaborations, readiness for incident response, and ongoing risk assessments.

The potential financial incentive for cybercriminals remains significant, with substantial returns even if only a fraction of victims choose to pay ransoms. This reality underlines the necessity for organisations to develop defence mechanisms like user awareness training, strong access controls, and maintaining secure backups.

The report calls for ongoing threat intelligence to monitor emerging groups and tailor defences against them. It stresses the importance of organisations maintaining visibility over their external footprint, including regular asset scanning, real-time monitoring, and holistic patch management.