Ransomware-as-a-Service (RaaS) has solidified its position as the dominant framework driving ransomware attacks in 2024, according to the latest insights from Kaspersky ahead of International Anti-Ransomware Day on May 12.
Kaspersky Security Network data reveals an 18% drop in ransomware detections from 5,715,892 in 2023 to 4,668,229 in 2024, yet the share of affected users edged up by 0.02 percentage points to 0.44%.
Despite the decline in raw numbers, ransomware remains a critical threat, particularly through targeted attacks on high-value organizations.
Kaspersky’s Global Emergency Response Team (GERT) reports that 41.6% of incidents requiring immediate response in 2024 were ransomware-related, up from 33.3% in 2023.
The RaaS model, exemplified by platforms like RansomHub, lowers the technical barrier for cybercriminals by providing pre-built malware, technical support, and affiliate programs that split ransoms-often on a 90/10 basis between affiliates and the core group.
This scalability has birthed numerous new ransomware groups in 2024, enabling even less-skilled actors to orchestrate sophisticated attacks while traditional ransomware lingers as a secondary threat.
New Extortion Tactics and Cross-Platform Threats
RaaS platforms are not just expanding in number but also in capability, with groups like RansomHub and Akira developing variants beyond the Windows ecosystem-still the primary target due to itsenterprise prevalence and vulnerabilities in tools like Remote Desktop Protocol (RDP)-to include Linux and VMware systems in cloud and virtualized environments.
This cross-platform shift reflects a strategic adaptation to hybrid infrastructures, a trend expected to deepen into 2025.
Concurrently, while encryption remains a hallmark of ransomware, many groups are pivoting toward data exfiltration as a primary or complementary tactic. 4
Modern operators employ double or triple extortion, combining data theft with encryption and threatening to leak sensitive information to coerce payments.
Financial dynamics further complicate the threat landscape: Chainalysis notes a 35% drop in total ransomware payments to $813.55 million in 2024 from $1.25 billion in 2023, yet Sophos reports a staggering rise in average ransom demands from $1,542,333 to $3,960,917, indicating a focus on larger organizations.
Despite law enforcement efforts, such as Operation Cronos dismantling parts of LockBit’s infrastructure and the FBI’s takedown of ALPHV/BlackCat, groups like RansomHub and Play quickly fill the gaps, often reusing leaked tools or code from predecessors like REvil or BlackMatter.
AI and Custom Toolkits Improve Ransomware
Adding to the complexity, emerging groups like FunkSec, active since late 2024, leverage AI-assisted tools, including large language models (LLMs), to craft malware with polished, detection-evading code while adopting a high-volume, low-cost ransom strategy across sectors like government and finance.
Additionally, ransomware actors are increasingly developing custom toolkits for exploitation, lateral movement, and password attacks to enhance attack precision and bypass defenses.
As techniques like Bring Your Own Vulnerable Driver (BYOVD) exploits gain traction-using legitimate, signed drivers to gain kernel-level access on Windows-the urgency for robust defenses intensifies.
Kaspersky recommends proactive measures like automated patch management, enabling Microsoft’s Vulnerable Driver Blocklist, and deploying advanced endpoint detection solutions to counter these evolving threats in 2025.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download