The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.

Here are the biggest ransomware stories of 2024.

Ransomware payments reach record high

Ransomware payments surged to record highs in 2024. In the first half of the year, victims paid a staggering $459.8 million to cyber criminals. The largest single ransom payment ever revealed was $75 million paid to the Dark Angels ransomware group by an undisclosed Fortune 50 company.

In addition, the median ransom payment skyrocketed from less than $199 thousand in early 2023 to $1.5 million in June 2024. The average ransom demand in 2024 also saw a significant increase, rising to $2.73 million, nearly $1 million more than in 2023.

Despite these record-breaking payouts, there was a 27.27% year-over-year decline in the number of ransomware payment events. That means that while fewer organizations pay ransoms, those who do pay face much higher amounts. The main reason is that ransomware gangs target larger organizations and critical infrastructure providers, focusing on high-profile attacks and yielding bigger payouts.

Ransomware attacks affect the health of healthcare

Ransomware attacks on healthcare organizations surged dramatically in 2024, with 264 attacks recorded in just the first three quarters of 2024. Some two-thirds (67%) of surveyed healthcare institutions reported being impacted by ransomware attacks, up from 60% in 2023. The average ransom demand per attack exceeded $5.2 million in the first half of 2024, with some high-profile incidents demanding up to $25 million. Recovery times have also increased, with only 22% of victims fully recovering within a week, down from 47% in 2023.

Starbucks hit by grande supply chain attack

Supply chain management software provider Blue Yonder was victimized by a ransomware attack on November 21, 2024. The attack disrupted customers, including coffee giant Starbucks and its 11,000 or so United States stores. Starbucks’ ability to manage employee schedules and track work hours was affected, forcing the high-tech company to use pen and paper for scheduling and affecting payroll. Blue Yonder is working with external cybersecurity firms to investigate, but as of November 25, the company still does not have a timeline for restoration.

New ransomware groups emerge despite crackdowns

This year saw a 30% year-over-year increase in the number of active ransomware groups despite law enforcement crackdowns. Secureworks’ annual State of the Threat Report reveals that 31 new groups entered the ecosystem in just 12 months. When one group, such as LockBit, is suppressed by law enforcement, another, such as RansomHub, emerges to fill the vacuum. It’s a game of Whack-a-Mole for authorities.

Ransomware attackers hit U.S. ports

Ransomware attacks on U.S. ports increased in 2024 in both frequency and sophistication. The Port of Seattle, for example, was attacked in August, causing major disruption. The U.S. government responded assertively. In February 2024, President Biden signed an executive order expanding the U.S. Coast Guard’s authority to address cybersecurity incidents in the maritime sector and mandating more robust digital defenses for port operators.

The importance of cybersecurity has never been higher. With ransomware groups’ increased sophistication and capability, defenders increasingly need AI threat detection and, indeed, AI cybersecurity solutions in general, as well as cybersecurity best practices across the organization.