Power Rankings: Ransomware Malicious Quartile

Ransomware  has evolved beyond being a tool for financial gain. For adversarial nations, it serves as a low-cost, high-impact mechanism to disrupt targets while avoiding direct confrontation. Recognizing and addressing this reality is a crucial step in protecting critical systems and ensuring national security in an era of increasingly complex threats. The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q1-2025, which can be reviewed along with earlier reports here:
Power Rankings: Ransomware Malicious Quartile.

‍

Ransomware has become one of the most disruptive cyber threats in recent years, impacting critical systems, endangering lives, and costing billions of dollars. However, framing ransomware attacks as solely financially motivated obscures the reality that some of these incidents serve broader geopolitical purposes.

Specifically, evidence suggests that Russia directs ransomware operators to target sectors like healthcare, energy, and food supply chains, aligning these attacks with its strategic objectives. By undermining public confidence in Western institutions while maintaining plausible deniability, Russia uses ransomware as a tool to further its geopolitical ambitions.

‍

In 2023, a staggering $1 billion in ransom payments was recorded, setting a record largely due to high-profile cyberattacks. Two of the most notable incidents involved Cl0p, a notorious ransomware group that exploited vulnerabilities in a file transfer tool, and BlackCat/ALPHV, which orchestrated a significant attack on Caesars Entertainment’s hotel properties. This surge in ransom payments highlights the escalating scale and severity of ransomware attacks targeting organizations across various sectors.

The situation has worsened significantly in 2024. By the end of the first half of the year, ransomware payments reached a staggering $459 million, according to a report by Chainalysis. This figure represents a $10 million increase over the same period in 2023, reflecting a concerning upward trend in ransomware-related extortion. The growing financial impact underscores the heightened capabilities of ransomware groups and the increased pressure on victims to pay.

Ransomware attacks continue to plague nearly every major business sector as well as state and local Governments. The relentless pace of attacks brings into question whether organizations fully understand the threat and what steps need to be taken to reduce the risk of costly disruptions.

There need to be real consequences – not just for those who are orchestrating the attacks and benefitting financially, but also for the nation-states who are benefiting geopolitically. Until there are real consequences on the table, we will see these attackers continue to brazenly act with impunity.

The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q2- 2024.

Ransomware attacks in 2023 broke nearly all previous records, with the majority (75%) of organizations reported being targeted by at least one ransomware attack, and 26% reporting they were targeted with ransomware four or more times. But the first quarter of 2024 is telling a bit of a different story, with some research indicating that ransomware attacks may have decreased by 20% or more from levels observed in the last quarter of 2023. Several factors may be at play in prompting the drop in attacks, including law enforcement actions against two of the top ransomware-as-a-service (RaaS) platform providers — LockBit and BlackCat/ALPHV — as well as a push by governments and some security experts to ban ransomware payments.

Ransomware remains one of the most significant threats to organizations of all sizes in all industry verticals. Following a bit of a lull the previous year, the first half of 2023 saw more victims impacted by ransomware attacks than in all of 2022 as threat actors continue to leverage Ransomware-as-a-Service (RaaS) platforms to execute their attacks. The vast majority (75%) of organizations reported being targeted by at least one ransomware attack in 2023, with 26% reporting they were targeted with ransomware four or more times.

Ransomware poses an existential threat to organizations of all sizes in any vertical. Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars. 

Ransomware-as-a-Service (RaaS) and other operators are implementing novel evasion techniques into their payloads specifically designed to evade or completely circumvent traditional endpoint protection solutions.

More than 2,300 organizations succumbed to ransomware attacks in just the first half of 2023 according to the most recent data, with the vast majority carried out by only three ransomware operators: LockBit(35.3%), ALPHV/BlackCat (14.2%), and Cl0p (11.9%).

Overall, ransomware attacks were up 74% in Q2-2023 over Q1 volumes.

Over the course of 2022, 85% of companies were the victim of at least one ransomware attack, and 74% had experienced multiple attacks. Ransomware has fast become the greatest risk to organizations today.

Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.