In a world where cyber threats feel omnipresent, a recent report has revealed some unexpected good news: ransomware attacks on state and local governments have dropped by 51% in 2024. Still, this decline does not signal the end of the ransomware threat, nor should it lead to complacency. As the nature of ransomware evolves, so do its consequences, costs and implications for enterprises and critical infrastructure.

What’s behind the drop in ransomware attacks? And what does it mean for the future of cybersecurity? Let’s take a look.

The numbers behind the drop

The reported 51% drop in ransomware attacks on state and local governments has been attributed to several factors. Some experts say the decrease is due to fewer governments paying ransoms, making them less attractive targets to cyber criminals.

Previously, local governments were frequent targets, often willing to pay the ransom to restore vital services. However, the tide has shifted. Now, only about 20% of state and local governments surveyed paid the ransom demands, a significant decrease from previous years. This reluctance to pay has impacted ransomware operators’ profitability and made other sectors, potentially less resistant to ransom payments, more attractive targets.

The role of law enforcement and threat group infighting

Law enforcement has played a significant role in disrupting major ransomware operators, further contributing to the decline. In late 2023 and early 2024, global law enforcement agencies, including the FBI, launched coordinated operations against the BlackCat/ALPHV and LockBit ransomware groups. These operations did not eliminate the groups entirely but dealt severe blows to their operations by disrupting their infrastructure and identifying key members.

As the pressure mounted, internal disputes within ransomware groups became public. The LockBit group, for instance, saw a highly publicized dispute between an operator and an affiliate overpayment, further destabilizing the trust within the group. BlackCat, on the other hand, disappeared in a likely exit scam, leaving its affiliates without support. These disruptions, both external from law enforcement and internal from infighting, have led to an exodus of ransomware affiliates away from these major brands.

Why fewer governments are paying ransom

The decline in ransomware attacks is largely tied to a fundamental change in how governments are responding to these attacks. In past years, many municipalities were quick to pay ransoms to regain access to their systems. This practice kept ransomware groups financially motivated. Now, a growing awareness about the risks of paying ransoms, coupled with increased support from the Cybersecurity and Infrastructure Security Agency (CISA), has led to a more cautious approach.

CISA’s involvement has been critical in helping governments recover from ransomware attacks without paying ransoms, making it clear that agencies have other options besides succumbing to extortion. This shift has significantly reduced the financial incentive for ransomware operators to target local governments.

Homeland Security, FBI and Secret Service help state, local and other governments prevent or respond to ransomware attacks. Most government entities say they’re satisfied with the agencies’ prevention and response efforts. However, many cited inconsistent communication during attacks as a problem.

Ransomware costs are rising

While the number of ransomware attacks has decreased, the cost of recovering from these attacks has skyrocketed. The 2024 IBM Cost of a Data Breach report found that the average ransomware attack cost reached $4.91 million across all sectors. As per Sophos, the average recovery cost for state and local governments in 2024 reached $2.83 million, more than double the $1.21 million reported in 2023. This increase can be attributed to the growing sophistication of ransomware attacks, particularly in how they target system backups.

In the past, many organizations could recover from ransomware attacks by restoring data from backups. However, ransomware groups have become more adept at compromising these backups as well, with 99% of state and local government organizations hit by ransomware reporting attempts to compromise their backups. Just over half of these attempts were successful, leading to significantly higher recovery costs as organizations were forced to rebuild their systems from scratch.

The shift towards unaffiliated actors

One of the more interesting trends in 2024 has been the rise of unaffiliated ransomware actors. Coveware reported a significant increase in attacks by unaffiliated actors, often referred to as “lone wolves.” These attackers operate independently of established ransomware brands like LockBit or BlackCat, making it more challenging to attribute attacks to a specific group.

This shift towards unaffiliated actors can be traced back to the collapse of major ransomware groups. As law enforcement crackdowns and infighting destabilized these groups, many ransomware affiliates chose to operate independently or under different ransomware brands. Data suggests that affiliates are moving fluidly between different ransomware groups or, in some cases, going unaffiliated altogether to avoid drawing attention to any single group.

The rise of unaffiliated attackers presents a new challenge for cybersecurity professionals. Without a clear brand attribution, it becomes more difficult to anticipate and defend against attacks. Enterprises and government agencies must focus on defending against the tactics, techniques and procedures (TTPs) of ransomware attacks, rather than simply tracking the movements of known groups.

One example of a solution is an Endpoint Detection and Response (EDR) system. EDR tools continuously monitor endpoints (computers, servers, mobile devices) for suspicious behavior, enabling rapid detection and response to ransomware or other types of malware. These tools can identify anomalies in user behavior, lateral movement across the network or unusual file access patterns, which are often signs of ransomware activity.

What this means for enterprises and critical infrastructure

While the decline in ransomware attacks on state and local governments is promising, enterprises and critical infrastructure organizations cannot afford to let their guard down. The tactics used by ransomware groups are evolving, and while some affiliates may be leaving the cyber extortion ecosystem, others are branching out and developing their own infrastructure.

For enterprises, the focus should shift from solely protecting against known ransomware groups to defending against the broader spectrum of TTPs used in ransomware attacks. This includes strengthening defenses around backup systems as ransomware groups continue to target backups to increase the cost and complexity of recovery.

Additionally, organizations should remain vigilant about the possibility of unaffiliated actors targeting their systems. The fluid nature of the ransomware landscape means that new threats can emerge quickly, and without the brand recognition that typically accompanies high-profile attacks, it may be more difficult to detect these threats early.

Stay vigilant

The increased involvement of law enforcement and the reluctance of governments to pay ransoms are positive developments, but they do not signal the end of the ransomware threat. With threat actors facing headwinds, now is the time for organizations to ramp up their cybersecurity efforts. The cost of complacency is simply too high.