Akira and Fog Dominate Ransomware Landscape, But Payouts Fall in Q4 2024

The final quarter of 2024 saw a shift in the ransomware landscape, with a decline in ransom payments despite persistent ransomware activity. According to Coveware, the percentage of organizations opting to pay ransoms dropped to an all-time low of 25%, down from 33% in Q3. This decline is attributed to improved cybersecurity defenses, enhanced backup and recovery strategies, and organizations choosing to refuse payments to cyber criminals. While the average ransom payment increased by 16% to $553,959, the median payment dropped by 45% to $110,890, reflecting that fewer victims are conceding to extortion demands. Coveware notes, "Payments continue to remain primarily a last-resort option for those who have no alternative to recover critical data," reinforcing the importance of resilient data protection measures.

Despite the decline in ransom payments, ransomware gangs remain highly active, particularly Akira and Fog, which were the most frequently observed ransomware variants in Q4. Akira has remained the dominant ransomware for six consecutive quarters, while Fog surged in prominence, tying Akira at 11% market share. These groups have avoided high-profile attacks on healthcare and critical infrastructure, instead focusing on small and medium-sized enterprises. Notably, "lone wolf" ransomware actors continue to hold a strong presence in the market, maintaining their foothold since the collapse of major Ransomware-as-a-Service (RaaS) groups earlier in 2024. This persistence suggests that independent operators remain a viable threat, adapting their tactics while avoiding the risks and instability associated with RaaS platforms.

The decrease in ransom payments is also attributed to global law enforcement efforts that have targeted and dismantled key cybercriminal operations. In Q4 alone, multiple high-profile arrests and takedowns disrupted ransomware gangs and cybercrime networks. The arrest of four LockBit affiliates in October, along with the U.S. Treasury Department's sanctions against LockBit, signaled a major effort to curb the ransomware ecosystem. Additionally, Dutch authorities dismantled Redline and Meta Infostealer, two prominent malware-as-a-service platforms used to facilitate credential theft and ransomware infections. Other notable law enforcement actions included the extradition of Phobos ransomware affiliate Evgenii Ptitsyn to the U.S. and the dismantling of Scattered Spider, a cybercriminal group known for high-profile breaches. These crackdowns have increased operational risks for ransomware operators, forcing them to adapt or disband.

While law enforcement efforts have disrupted major cybercriminal networks, threat actors are shifting towards data exfiltration as a primary tactic. The use of data extortion-only attacks rose to 41% in Q4, reflecting an increase in cybercriminals stealing sensitive information and demanding payment in exchange for not leaking it. However, security experts warn that paying for a promise to delete stolen data remains highly unreliable, as history has shown that ransomware operators frequently resell or leak the data regardless of payment. Coveware warns, "By reducing the financial incentive for attackers, this trend will help weaken the overall ransomware economy and deter future attacks."

Despite law enforcement pressure, ransomware operators continue to refine their techniques, leveraging AI-driven phishing, SEO poisoning, and social engineering to gain initial access to networks. Phishing and remote access compromises remained the dominant attack vectors in Q4, with callback phishing and vishing (voice phishing) emerging as growing concerns. Groups like Black Basta exploited IT support impersonation through Teams messages, while Qilin used SEO poisoning to direct victims to malicious downloads. The exploitation of zero-day vulnerabilities, particularly in VPNs such as Ivanti and Fortinet, remained a key avenue for attackers, with stolen credentials frequently sold on underground markets.

From a MITRE ATT&CK tactics perspective, Exfiltration surged to 87% of cases, surpassing Lateral Movement (74%), which saw a slight decline. Impact tactics, such as encrypting virtualized environments, remained a critical concern, appearing in 85% of cases. Threat actors continue to target VMware ESXi hypervisors, often locking administrators out and forcing full system reinstalls, erasing forensic evidence in the process. Additionally, Discovery and Collection tactics saw increased usage, as adversaries utilized reconnaissance tools like AdFind and BloodHound to map victim networks before launching ransomware attacks.