On February 4, 2025, Coveware, Inc. released its quarterly ransomware report for the fourth quarter of 2024, and identified that the percentage of victims paying ransoms fell to a historic low of 25%. While the average amount of a payment in Q4 2024 rose 16% quarter-over-quarter to $553,959, the median amount dropped a significant 45% to $110,890. The median is generally a better indicator of the market because it is not skewed by very high or low payments. This median amount is sharply down from an all-time high of $250,000 in 1Q 2024.
Coveware’s data suggests that ransoms continue to be paid only as a last resort, in part because threat actors do not always honor their promises. Payments also are likely being deterred by increasing regulatory guidance in some industries against paying ransoms. According to the report, overall, encryption as a method of extortion is declining because organizations are improving hardening measures and their backup and recovery processes. And Coveware noted that Q4 2024 was a banner quarter for global law enforcement, which made significant arrests and took down major cybercriminal groups, including those relating to LockBit, Snowflake, Meta Infostealer, and Scattered Spider. See LockBit Takedown Indicates Shifting DOJ Cyber Strategy and Has Implications for Ransomware Victims (Alston & Bird Privacy, Cyber & Data Strategy Blog, May 15, 2024).
In Q4 2024, Coveware found that threat actors generally moved away from attacking high profile organizations, and instead targeted small and medium companies in higher numbers and with repetitive attack patterns. Lone wolf actors continued to play a significant role in the extortion market even though two major Ransomware-as-a-Service groups collapsed last year. Coveware’s data has shown that lone wolf actors held their position and largely continued to operate without group affiliation. Organizations with between 101 to 1,000 employees experienced the highest rate of attack with 41.53% of reported incidents, and those with between 11 to 100 employees accounted for 29.66%. That means over 70% of reported incidents in Q4 2024 were at mid-sized organizations, possibly because they have valuable data but less-mature cybersecurity defenses than large organizations.
As expected, phishing continued to be the primary method of attack in 4Q 2024, with remote access compromise not far behind, which increased for the first time during 2024. Remote access compromise involved frequently targeting vulnerabilities in VPNs, as well as using stolen credentials and brute force attacks. Other methods, including software vulnerability and inside actors, continued their decline in 2024 during the fourth quarter
