Q1 2024 Crimeware Report 

The report leverages data collected during Arete’s response to ransomware and extortion attacks and explores the rise and fall of ransomware variants, trends in ransom demands and payments, impacts on critical infrastructure, and what Arete expects to see in Q2.  


Overview

• Throughout Q1, law enforcement continued to pressure large Ransomware-as-a-Service (RaaS) groups, significantly disrupting LockBit’s operations. Meanwhile, ALPHV used previous law enforcement actions to abandon its brand in an exit scam.  
  
• With LockBit and ALPHV’s combined activity no longer comprising the majority of ransomware engagements, Arete observed a much broader and more evenly distributed threat landscape, with activity from groups including 8Base, BianLian, Black Basta, Cactus, DragonForce, Hunters International, HsHarada, Medusa, Phobos, Rhysida, and Trigona.  
  
• The median ransom payment increased slightly from Q4 to Q1 but remained about the same as the median payments for all of 2023. The trend of fewer organizations paying ransoms also continued, as a ransom was paid in just 34% of Arete engagements during the quarter.  
  
• In Q1, threat actors continued to leverage malware and increasingly relied on tools with legitimate uses that allowed cybercriminal operations to go undetected for longer.
• When we look at the file-based operations of the most commonly observed threat actors, some clear security defenses emerge.
  
  Learn more about these recommended measures in the report.