The State of Ransomware in the U.S.: Report and Statistics 2024
Introduction
As we wrapped up 2024, a review of some of the cyber incidents that made headlines this year reveals why they matter. The actual number of organizations that fell victim to ransomware in 2024 is impossible to know—no one has the full picture. We track incidents through reports to state Attorneys General in the U.S., the U.S. Department of Health and Human Services, mainstream media, listings on dark web forums, and postings by the criminal groups themselves. However, these are just the tip of the iceberg. Many ransomware cases remain unreported, and the information provided by cybercriminals is often incomplete and unreliable.
Ransomware.live tracks claims from over 200 cybercriminal groups and lists 6,018 victims in 2024, compared to 5,339 in 2023. The actual numbers are likely much higher. One thing is clear: cybersecurity should be taken very seriously.
The article includes links from industry players and international law enforcement for further reading. For many incidents, breakout boxes have been added to explain their implications and provide guidance on how to avoid becoming a victim.
Ransomware Statistics in the U.S.
The 2024 report reveals a significant increase in ransomware attacks across various sectors in the United States. Hospital systems saw a dramatic rise, with 85 systems impacted, compared to 46 in 2023. Similarly, K-12 school districts experienced a surge, with 116 districts affected. Government entities also faced a substantial increase in attacks. The overall number of organizations impacted by ransomware in 2024 reached 373, highlighting the growing threat posed by these cyberattacks.
2021 | 2022 | 2023 | 2024 | |
Hospital systems | 27 | 25 | 46 | 85 |
K-12 school districts | 62 | 45 | 108 | 116 |
Post-secondary schools | 26 | 44 | 72 | 55 |
Governments | 77 | 106 | 95 | 117 |
Totals | 192 | 220 | 321 | 373 |
Healthcare
Ransomware is not merely a numbers game. In the healthcare sector, the disruption of an attack can compromise essential treatments where lives are at stake. Our tracking shows that a significant number of hospitals and hospital systems have been impacted by ransomware in 2024. Between January and December, at least 85 hospital systems reported incidents, comprising 1,031 hospitals. While these figures offer a disturbing snapshot of the situation, not all incidents are reported and the actual number of affected hospitals is likely much higher.
Education
The provided data points towards a concerning trend of ransomware attacks within K12 school districts in the U.S. in 2024. Between January and December, a total of 116 districts reported incidents, impacting an estimated 2,275 K12 schools. This translates to an average of nearly 20 schools impacted per incident. While these numbers provide a sobering picture, it’s important to acknowledge that they likely represent only a fraction of the actual impact.
Governments
The above data indicates that government entities in the U.S. have been significantly impacted by ransomware attacks in 2024. Between January and December, a total of 117 governments and government agencies reported incidents. As with other sectors it’s important to acknowledge that it likely represents only a portion of the actual impact. Many ransomware attacks go unreported for reasons such as concerns about national security and the desire to avoid disrupting critical services.
LockBit Ransomware Group
2024 has been such an eventful year for the cybercrime group LockBit that they deserve some special attention. For a deep dive, Jon DiMaggio and team at Analyst1 have published some excellent papers based on their investigations of LockBit.
First appearing in the fall of 2019 as ABCD ransomware, the criminal group assumed the name LockBit in early 2020 and started to aggressively recruit potential affiliates with their rebrand to LockBit 2.0 in the summer of 2021. In March 2022 we first saw their third incarnation, LockBit 3.0, with a remarkable focus on their Ransomware-as-a-Service (RaaS) infrastructure, including taking the unironic step of launching their own bug bounty program. This deep commitment to their infrastructure and marketing specifically targeting affiliates led to great success as cybercriminals, albeit at the expense of their victims. Based on the number of listings on their dark website, LockBit is one of the most harmful ransomware groups in recent years, although it’s impossible to tell exactly how many organizations have fallen to them. Some of their most famous victims include global consulting firm Accenture (2021), cybersecurity firm Entrust (2022), the UK’s Royal Mail postal service (2023) and a raft of healthcare and government entities globally.
LockBit’s success gained them the attention of not only victims, but international law enforcement as well. This led to the creation of Operation Cronos: an international taskforce specifically targeting LockBit, aimed at disrupting the group’s operation and exposing the members of the ransomware gang. Led by the UK’s NCA, the FBI and Europol, the operation includes law enforcement agencies from 14 countries. Here’s a summary of some key events from 2024:
- Feb 19: Operation Cronos posted a message on LockBit’s dark website that read: “This site is now under the control of the National Crime Agency (NCA) of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.
- Feb 20: Operation Cronos announces that they’ve infiltrated LockBit’s network and taken control of their services. Operating for 4 years with a Ransomware-as-a-Service with a global network of affiliates, LockBit ransomware attacks targeted thousands of victims around the world resulting in losses of billions of dollars in ransom payments and in recovery costs.
- As quoted by the BBC, Ciaran Martin, the former head of the UK’s National Cyber Security Centre said “On the face of it, this is one of the most consequential disruptions ever undertaken against one of the giants of ransomware, and certainly by far the biggest ever led by British police”. Although their identities were still not publicly known, those behind the LockBit group were believed to be based in Russia, beyond the reach of Western law enforcement agencies. Disrupting their operations is a tangible option meant to undermine their work, but even with this very public exposure of Lockbit’s activities, the impact on their operations remained to be determined. Nevertheless, the infiltration and disruption of lockbit resulted in:
- NCA obtaining over 1,000 decryption keys;
- Operation Cronos naming the affiliate ID and usernames of 194 LockBit affiliates;
- Two indictments on Russian nationals (Artur Sungatov and Ivan Kondratyev);
- The arrest of two LockBit actors in Poland and Ukraine;
- A $10 million reward for information on ‘LockBitSupp’, the gang’s alleged ringleader;
- Over 200 cryptocurrency accounts linked to the gang being frozen.
- Feb 23: On top of the $10 million reward mentioned above, law enforcement initiated some PsyOps by posting a countdown to a reveal of LockBit’s leader, LockBitSupp, on LockBit’s seized webpage. As a Ransomware-as-a-Service operation, LockBit relies on affiliates to do the dirty work of identifying, attacking and compromising, and ultimately extorting money from victims. They effectively compete with other ransomware groups to attract the most productive affiliates. Establishing a strong brand helps them in this competition: a brand that establishes fear in its victims and confidence in its affiliates that its ransomware extortion threats are real. Similarly, RaaS groups need to protect the identity of its affiliates, many of which may operate from jurisdictions that are NOT out of reach of Western law enforcement. By releasing affiliate IDs and usernames, then threatening to expose the leader, law enforcement undermines the credibility of this implied anonymity, generating fear and uncertainty within the ranks of affiliates that may result in someone cooperating with law enforcement to protect themselves.
- May 7: the U.S. Justice Department charges a Russian national for his alleged involvement as the creator, developer, and administrator of LockBit. Dimitry Khoroshev, 31 of Voronezh, Russia, was identified as LockBitSupp and charged in a 26-count indictment returned by a grand jury in the District of New Jersey. The Department of State also announced a reward of up to $10 million for information leading to the apprehension of Khoroshev.
- The NCA and FBI also identified 194 affiliates using LockBit’s services. The importance of this can’t be understated: international law enforcement has made it clear that RaaS operators and the Dark Web can’t guarantee anonymity, and the criminals who thought they were safe are sleeping less easily now.
- Jun 6: The FBI announces that they have over LockBit 7,000 decryption keys that can be used to help victims restore encrypted files.
- All this law enforcement attention seems to have had an impact, as the number of victims posted on LockBit’s dark website declined from 85/mo in Q1-24 to 18/mo in Q3-24. But the operation wasn’t over.
- Oct 1: In the third phase of Operation Cronos, law enforcement in four countries arrest an alleged LockBit developer (France), two LockBit affiliate supporters (arrested by British authorities), and the administrator of a hosting service used by the ransomware group (Spain). Spanish police also seized nine servers used as LockBit’s infrastructure.
Why does this LockBit stuff matter?
It’s encouraging to know that law enforcement is making progress against these criminal groups, and that it’s having an effect. Naming the people behind LockBit and its affiliates, and the indictments and arrests of key members are all being noticed by the cybercriminals and may be changing their behavior.
It’s a good idea to understand the threat presented by the most prolific Threat Actors. Resources that you can use to learn about the threats, tactics, and how to detect and protect against them are available from the US Cybersecurity and Infrastructure Security Agency (CISA) and many other sources. LockBit and their affiliates have gained initial access using app vulnerabilities, brute forcing Remote Desktop Protocols (RDP), phishing, and compromised credentials.
NCA and FBI have thousands of LockBit encryption keys as a result of Operation Cronos. If you’ve been affected, report it to the appropriate authorities. Doing so will help them in their ongoing efforts to track and disrupt the criminals, and they may be able to help you recover your data.
Other notable cyber events of 2024
Snowflake Breach (April 2024)
By now, it might seem obvious that robust password policies are critical, yet lapses still occur. In mid-April 2024, Snowflake detected unusual activity within its systems and officially disclosed potential unauthorized access on May 23, 2024. As a provider of cloud services for managing massive datasets, Snowflake’s 9,500 customers represent an attractive target for cybercriminals.
Surprisingly, the attackers didn’t exploit a zero-day vulnerability or deploy a sophisticated social engineering campaign. Instead, they accessed accounts using credentials obtained through other means—accounts that lacked Multi-Factor Authentication (MFA). According to Snowflake, the attackers “leveraged credentials previously purchased or obtained through infostealing malware.” Only after this incident did Snowflake enforce MFA on all accounts.
Google company Mandient identified threat actor UNC5537 as systematically compromising Snowflake customer instances using stolen customer credentials. Companies have been outsourcing data to the cloud starting in the mid-2000s for storage and processing, but with incidents such as this there’s increasing concern that they’re exposed to potential data breaches when their operations use a shared IT infrastructure.
In November 2024, Canadian authorities arrested Alexander “Connor” Moucka for allegedly being one of the actors behind the Snowflake attacks. An alleged collaborator, American John Binns, who was previously indicted for an attack on T-Mobile in 2021, was arrested by Turkish authorities and remains in custody. The final piece of the puzzle was the arrest of a U.S. Army soldier, who allegedly goes by the name Kiberphant0m, at the end of December. The story of how the Canadian was tracked and identified by U.S. cybersecurity firm Unit221B is good reading, and it shows that high-profile, mass-victim cyberattacks can result in successful coordinated investigations.
A small sample of impacted customers include:
- Neiman Marcus
- Ticketmaster: criminal group ShinyHunters claimed to have 560 million records for sale
- Santander: again, ShinyHunters claimed to have 30 million records of Spain’s largest bank. Santander confirmed that information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees had been accessed
- Advance Auto Parts: Sp1d3r claims to have 380 million customer details
- Financial services company LendingTree and subsidiary QuoteWizard: Sp1d3r claims to have records of 190 million people.
AT&T, followed by AT&T (March 2024, July 2024)
Big companies represent big targets.
- In the first week of March, a dataset apparently from 2019 or earlier containing the personal data of 73 million current and former customers, including Social Security numbers and account passcodes appeared on the dark web.
- In July, AT&T announced that it was again breached, this time the stolen data included containing AT&T records of calls and texts from more than 100 million cellular customers, wireless network customers and landline customers from May, 2022 to October, 2022 as well as on January 2, 2023. According to the New York Times AT&T spokesman Jim Kimberly said the customer data was downloaded from Snowflake’s cloud platform.
Dell & Dell again (April 2024, September 2024)
- At the end of April, threat actor Menelik put the data up for sale on the Breached hacking forum and just over a week later, Dell started to send notifications warning customers that their personal data was stolen in a data breach. According to Bleeping Computer, Menelik revealed they used a partner portal API to steal 49 million customer records.
- In September, more data was allegedly stolen from Dell, and released on the dark website BreachForums. Hack me once, shame on you …
Kaspersky Exit (June 2024)
In June, the US Commerce Department announced a decision that prohibits Kaspersky from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. It also bans updates to software already in use. The decision “found that the company’s continued operations in the United States presented a national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.”
Kaspersky’s products have a very good reputation for its protection, but the company is an unfortunate victim of today’s geopolitical climate.
CrowdStrike Oopsie (July 2024)
While not the result of a cyberattack, a faulty software update from CrowdStrike caused a global IT outage, affecting approximately 8.5 million machines and costing Fortune 500 companies billions to recover.
Endpoint protection software has a very high level of privilege in the operating system, leveraging a kernel driver for a range of reasons including system-wide visibility, and self-protection. This level of system privilege does expose some risk, as this incident indicated.
What’s the takeaway from this?
The impact of this incident notwithstanding, keeping your operating system and application software up to date is one of the most important things you can do to as part of your security practice.
Trump’s presidential campaign (August 2024)
U.S. government officials blamed Iranian hackers for breaking into Donald Trump’s presidential campaign. Hackers also attempted to break into the then-Biden-Harris campaign, their activities seeking “to stoke discord and undermine confidence in our democratic institutions”. In September as a result the US Justice Department indicted 3 Iranians charged with wire fraud, identity theft, providing material support to a terrorist organization and a variety of cybercrimes.
Telegram take-down (August 2024)
Telegram is a cloud-based messaging app owned and founded by Russian entrepreneurs Pavel and Nikolai Durov. By offering end-to-end encryption without having to provide a phone number, they intended Telegram to be a platform providing secure communications without government interference. While this seems like a noble intent, the platform appealed to less than savory groups that wanted to keep their communications private – including cybercriminals, black market dealers, conspiracy theorists, and extremists.
Things came crashing down in August 2024 when French authorities arrested and charged Durov with complicity in a wide range of crimes, including drug trafficking and “enabling the distribution of child sexual abuse material.” There’s nothing like prison food to motivate people, and on September 23 Durov posted “the IP addresses and phone numbers of those who violate our rules can be disclosed to relevant authorities in response to valid legal requests”.
American Water Works (October 2024)
American Water Works, with almost $1B in net income in 2023, provides drinking water, wastewater and related services to approximately 14 million people in 14 states and 18 military installations.
According the American Water Works’ filing with the SEC, on Oct 3 they discovered unauthorized access to its infrastructure because of a cybersecurity incident. In the statement, the company says that they currently believe none of its water or wastewater facilities or operations were affected while also acknowledging that they can’t presently predict the full impact.
By October 15, the company stated that they “have no indication that its water and wastewater facilities were impacted by this incident”, which makes us feel … unsure.
As noted by The Record, the EPA had sought to strengthen cybersecurity at water utilities, but those efforts were halted by litigation “by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA). “
Notorious Hacker USDoD arrested in Brazil (October 2024)
It seems that hackers that draw the brightest spotlights on themselves often get taken down by law enforcement. Hacker USDoD, also known as EquationCorp, was allegedly behind the hacks of the FBI’s InfraGard threat information sharing portal, Airbus, and the massive leak of National Public Data.
In August the person behind USDoD was doxed by tecmundo (Portuguese) as Luan B.G., a 33-year-old man from Minas Gerais, Brazil, and on October 17 it was reported that the person behind several hacks claimed by USDoD had been arrested.
Cleo file transfer platforms hacked (December 2024)
In 2023, a vulnerability in Progress Software’s MOVEit file transfer app by cybercriminal group Cl0p resulted in more than 2500 organizations and over 95 million individuals being impacted. In December we saw Cleo file transfer products hacked, and we may not know until well into 2025 whether we’re facing another MOVEit-style wave of victims.
U.S. Treasury Department hacked (December 2024)
In the final days of 2024, there was word of a major breach of the U.S. Treasury Department. Initial access by the threat actor was gained by leveraging vulnerabilities in BeyondTrust’s remote support software and the incident has already been attributed to a China state-sponsored actor. Needless to say, 2025 will be an interesting year with governments and their accomplices jockeying to establish and maintain positions of Cyber Power.
Why All of This Matters
Understanding the threat landscape is as important as implementing an effective and robust cybersecurity framework based on people, process, and technology. Focusing on implementing the basics is a good way to start, because a great number of successful breaches use the same basic technique that can be easily mitigated. This is illustrated by CISA’s “FY23 RISK AND VULNERABILITY ASSESSMENTS (RVA) RESULTS”. It shows that the technique used for initial access that showed the highest success rate was Valid Accounts (41%). Similarly, Valid Accounts yields the highest success rate for Persistence (42%), and Privilege Escalation (44%).
This is the same technique used in the Snowflake breach we describe above, and implementing strong password policies is an easy and effective preventative measure. Read about password security best practices here, and have a safe 2025.