Freely subscribe to our NEWSLETTER

Key Points
• Ransomware activity is down 18% compared to the fourth quarter of 2023. This slow start to the year was likely influenced by the holiday period as well as recent law enforcement operations against ALPHV and LockBit.
• The most active groups in the first quarter of 2024 (Q1 2024) were LockBit, Black Basta, and Play. Black Basta saw the most growth in activity—41% quarter-over-quarter.
• During Q1 2024, the ALPHV group conducted an exit scam to defraud its affiliates out of an alleged $22 million ransom payment taken from a healthcare organization. It is realistically possible that some affiliates have since moved to the RansomHub group, which emerged in February 2024.
• A law enforcement operation targeting LockBit in February 2024 significantly impacted the group, which, despite showing resilience in restoring operations, has not met its previous operational output.
• LockBit has faced significant reputational setbacks among affiliates. Cybercriminal forum chatter showed that users were apprehensive about working with a group compromised by law enforcement. The DarkVault ransomware group is a possible successor group to LockBit.
• The US and the manufacturing sector were the primary targets of ransomware attacks in Q1 2024, consistent with the previous quarter. This is likely due to the perception of financial rewards afforded by US-based companies, and manufacturing’s susceptibility to ongoing outages.
• In the coming months, we expect to see a return of the Clop group in targeting susceptible enterprise file transfer software, increased use of generative artificial intelligence and automation in ransomware campaigns, and adaptations to the transfer and storage of decryption keys amongst ransomware members.

In Q1 2024, ReliaQuest identified 1,041 organizations posted to ransomware data-leak sites (DLS), representing an 18% decrease from Q4 2023. While Q1 2024’s figures indicate somewhat of a slowdown in ransomware activity, it likely only represents a temporary lull. We expect ransomware to rise in the second quarter of 2024, a trend we’ve seen in previous years.
A law enforcement crackdown on the LockBit ransomware group in February of this year likely contributed to a dip in overall ransomware activity. While LockBit, the most prolific ransomware group in recent years, showed resilience in the aftermath of this operation, it was short-lived: The group saw a 21% decrease in activity this quarter compared to Q4 2023.

Q1 2024 also saw an ALPHV exit scam, in which the group posted a potentially fake law enforcement takedown notification on its DLS. We suspect this was conducted to scam its affiliates out of a $22 million ransom payment allegedly taken from UnitedHealth’s Change Healthcare unit. Several ALPHV members have likely moved to other ransomware operations following this (including the RansomHub group, which emerged in February 2024).
These events contributed to a tumultuous first three months of 2024 for the ransomware ecosystem; however, the threat these groups pose remains. This report outlines some of the key takeaways from this period.