Attacks by new ransomware groups, including PLAY, Medusa, RansomHub, INC Ransom, BlackSuit and some additional lesser-known factions, eclipsed the first quarter of this year by 16 percent and the second quarter of 2023 by 8 percent, according to Corvus Insurance, a wholly-owned subsidiary of The Travelers Companies, Inc.

The report identified 1,248 ransomware victims in Q2, the second most recorded in a single quarter.

The average ransom demand increased by 102 percent.

The new groups formed following international law enforcement’s takedown of LockBit and BlackCat.

Ransomware Demands and Payouts on the Rise
Based on Corvus data, the Q2 report found the average ransomware demand reached $1,571,667, representing a quarterly increase of 102 percent and the highest figure Corvus has reported since the second quarter of 2022.

The average ransom payment also reached a new high of $626,415.

A company’s backup strategies can impact payouts.

Businesses without robust backups are more than twice as likely to surrender to ransom demands during an attack, the report found. Conversely, organizations with effective backup strategies have incurred median claim costs 72 percent lower than their less-prepared counterparts.

Ransomware Operators Continue Evolving Tactics
“Recognizing that many organizations possess valuable and sensitive information, ransomware operators have evolved their tactics by engaging in double-extortion schemes where operators encrypt data, exfiltrate it and then threaten to release it on the dark web,” the report noted.

So far in 2024, data theft was involved in 93 percent of ransomware incidents observed by Corvus, up from 88 percent in 2023. Using double-extortion schemes, even organizations with secure backups may be forced to pay ransoms, often to prevent the exposure of stolen data.

“Data theft has become the technique employed by attackers to secure maximum payouts from their victims, whether or not they have secure backups,” said Jason Rebholz, chief information security officer at Corvus Insurance. “A robust security plan is never one layer deep. While a sound backup strategy is important, it cannot mitigate these threats alone. Businesses must utilize a multi-layered security strategy based on a resilient environment with fast detection and prevention capabilities.”

Construction Becomes the Most Frequently Targeted Industry in Q2
Though industries most affected by ransomware attacks remained similar among Q1 and Q2, Construction moved from second to first in the second quarter.

In addition, Government and Oil and Gas joined the list, and ransomware attacks targeting the Software Development and IT Services and IT Consulting sectors were up 257 percent and 54 percent, respectively.

RansomHub was responsible for 16 percent of the reported victims within the IT Services industry, followed by PLAY and BlackSuit, which accounted for an additional 18 percent, Corvus found.