More than 4,000 new victims of ransomware have been recorded over the past 12 months. 

According to research by Orange Cyberdefense, there has been a 77% year-on-year growth from 2023 with 4,374 new victims detected in 75% of countries monitored. In the first quarter of 2024, there were 1,046 victims hit by 43 different threat actors.

Speaking at a launch event this week in Antwerp for the Cy-Xplorer 2024 report, Simen van der Perre, Belgium strategic advisor at Orange Cyberdefense, said these victims are recorded by monitoring leak sites, mostly on the dark web, and most victims are put on these leak sites for not having paid a ransom.

“The extortionists put them on the leak side to raise pressure on negotiations or just to get the money,” he said.

Opportunistic Hits

The researchers found that there is a more opportunistic approach for most threat groups when it comes to targeting victims, and as a result, small businesses with fewer than 1,000 employees are four times more likely to be impacted by attackers than medium and large businesses. 

Van der Perre said targeting is mainly done by victim variables, such as who is the most vulnerable, who didn't work well on their cybersecurity hygiene and best practices, and who did not train their users very well?

“These small organizations, they usually don't have the same type of budget as medium and large ones so they are probably more vulnerable,” he said. “They do not have the funds to invest in cybersecurity hygiene and training. Also threat actors are quite opportunistic.”

Repeat Victims

The research also determined over 200 occurrences of “re-victimization”, with 39 of these instances spotted in Q1 2024. As researchers found some victims posted up to three times on a dedicated leak site.

Typically a re-victimization occurs when a victim is hit by a second cyber attack, the data has been sold or leaked on a website, or access has been sold to a different operator. Diana Selck-Paulsson, global lead security researcher at Orange Cyberdefense, said 200 occurrences of re-victimization have been detected - from 11,000 total victims - by searching on victim’s names, while some names showed up three times.

“We find this very problematic because we can't know for sure whether or not this is a completely new compromise, but for the victim it's going to be horrific because the business needs to now check and be capable of checking whether or not another compromise has occurred,”  Selck-Paulsson said. 

She also said that the company only began tracking re-victimization in 2020, but the trend really began in 2023 and the largest detection of re-victimization was in Q1 2024.

With half of re-victimisations happening within 80 to 302 days, the research believed this is often due to attackers moving between ransomware groups, where the victim may have been hit by two ransomware attacks.

Selck-Paulsson said this could be about increasing the pressure on the victim as they had not complied with any ransom demands. “We do think that after 634 days, or the longer time has passed, it is more likely that we see two or three different brands involved in re-victimization,” she said.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.