<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Q1 2024 Sets Record for Most Global Ransomware Attacks in a First Quarter: New Corvus Insurance Ransomware Report

An unprecedented 18 new ransomware leak sites emerged over Q1, bringing the total number for the quarter to 60

BOSTON, April 30, 2024 /PRNewswire/ -- Corvus Insurance, the leading cyber insurance underwriter powered by a proprietary AI-driven cyber risk platform, today released its Q1 2024 Ransomware Report. Featuring data collected from global ransomware leak sites, the report shows that Q1 2024 attacks surpassed Q1 2023 by 21 percent, continuing the troubling trends reported in 2023.

Overview of Q1 2024 Ransomware Trends and Activity

In January, Corvus reported that global ransomware attacks in 2023 set a record high, surpassing 2022 by close to 70 percent. Today's Q1 Ransomware Report shows that 2024 is picking up right where 2023 left off. According to the data, 1,075 leak site ransomware victims were posted on leak sites during the first quarter of 2024, despite the disruption of two major ransomware groups, LockBit and ALPHV/BlackCat, which accounted for 22 percent and 8 percent of the activity, respectively.

"The ransomware activity we've seen in the first quarter of 2024 continues the substantial growth pattern that we saw develop over the course of 2023. While we fully expect that law enforcement's long-term impact will be significant, it's not enough to curb this criminal activity today," said Jason Rebholz, Chief Information Security Officer, Corvus Insurance. "Businesses across all industries must embrace vigilant cybersecurity practices, including proactive and persistent patch management of any vulnerable assets in their environment."

LockBit and ALPHV/BlackCat Activity

In the first quarter of 2024, an international law enforcement operation targeted LockBit's infrastructure, resulting in its operations declining from their status in 2023 and 2022. Lockbit's operators have begun to rebuild but are currently operating at a decreased rate.

ALPHV/BlackCat's high-profile attack on a large healthcare technology company in early March severely impacted thousands of medical practices and pharmacies across the U.S. Following the attack, ALPHV/BlackCat conducted an exit scheme, pretending to shut down, and then taking all the funds. In a typical scenario, the group would take a standard 20-25 percent and share the remainder with the affiliates, which purchase predeveloped ransomware tools from groups like ALPHV/BlackCat to execute attacks and receive a share of the payout. In this instance, the affiliates received nothing.

New Ransomware Groups Quickly Fill the Void

Despite these developments, ransomware attacks continued to grow in the first quarter of 2024, likely due to other ransomware affiliate groups shifting operations to new and alternative organizations. In fact, 18 new leak sites emerged over Q1, the largest number of leak sites to emerge in a single quarter on record. These additions brought the total number of active leak sites for the first quarter to 60.

Industry Trends – Medical Practices Experience Surge in Attacks

According to the Q1 2024 Ransomware Report, the industries most impacted by global ransomware attacks remained relatively consistent over previous quarters, with Information Technology and Services, Construction, Healthcare, and Legal continuing to rank among the top five. While historically there has been a seasonal decline in ransomware activity during the first quarter, most industries experienced only a marginal reduction in incidents compared to the previous quarter. The one prominent exception is Medical Practices, including specialists or family clinics, where attacks were up 38 percent over Q4 2023. ALPHV/BlackCat and LockBit accounted for 12 and 16 percent of these attacks, respectively.

Read the complete Corvus Q1 2024 Ransomware Report here.

About Corvus Insurance

Corvus Insurance, a wholly owned subsidiary of The Travelers Companies, Inc., is building a safer world through insurance products that help to reduce cyber risk for policyholders. Corvus Insurance's Smart Cyber Insurance® and Smart Tech E+O® products include broad coverage, in-house claims handling, and risk prevention services that help prevent cyberattacks through threat alerts for policyholders and the partnership of our in-house cybersecurity experts. 

Corvus Insurance offers insurance products in the U.S., Middle East, Europe, Canada, and Australia. Corvus Insurance, Corvus London Markets, and Corvus Germany are the marketing names used to refer to Corvus Insurance Agency, LLC; Corvus Agency Limited; and Corvus Underwriting GmbH. All entities are subsidiaries of Corvus Insurance Holdings, Inc. For more information, visit corvusinsurance.com.

Recent Articles

Q1 2024 Sets Record for Most Global Ransomware Attacks in a First Quarter: New Corvus Insurance Ransomware Report


An unprecedented 18 new ransomware leak sites emerged over Q1, bringing the total number for the quarter to 60

Corvus Insurance Enhances Cyber Renewals


Fast, application-free, click-and-bind renewals are now offered for eligible accounts.

Corvus Expands Tech E+O Offering


Smart Tech E+O® combines an enhanced appetite with Corvus’ best-in-class claims and risk prevention capabilities. Learn more in this press release.