{"id":7303,"date":"2024-02-15T09:00:00","date_gmt":"2024-02-15T09:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-3587\/"},"modified":"2026-05-10T19:05:41","modified_gmt":"2026-05-10T19:05:41","slug":"ransomware-2024-new-tactics-bigger-targets-tougher-negotiations","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2024\/02\/15\/ransomware-2024-new-tactics-bigger-targets-tougher-negotiations\/","title":{"rendered":"Ransomware 2024: New Tactics, Bigger Targets, Tougher Negotiations"},"content":{"rendered":"<p><strong>Ransomware in 2024 is no longer just a simple encryption attack. Leading groups  &#8211;  LockBit, ALPHV\/BlackCat, Cl0p  &#8211;  operate like businesses: with HR departments, support ticket systems, and contractually regulated affiliate programs. Underestimating them as &#8220;script kiddies&#8221; will lead to severe consequences.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li><strong>Triple Extortion becomes standard:<\/strong> Encrypt + steal data + threaten DDoS as three combined levers.<\/li>\n<li><strong>RaaS ecosystem mature:<\/strong> Ransomware-as-a-Service enables even technically less skilled attackers to launch professional attacks.<\/li>\n<li><strong>Critical infrastructure in focus:<\/strong> Hospitals, energy, water  &#8211;  attacks on KRITIS are strategically increasing.<\/li>\n<li><strong>Negotiation professionalized:<\/strong> Specialized IR firms negotiate with attackers  &#8211;  this has become standard business practice.<\/li>\n<li><strong>Paying guarantees nothing:<\/strong> Only 65% of paying victims get all their data back (Cybereason).<\/li>\n<\/ul>\n<h2>The RaaS Model: How Ransomware Groups Operate<\/h2>\n<p>Ransomware-as-a-Service (RaaS) has dramatically lowered the barrier to entry for attackers. LockBit, for example, runs an affiliate program: partners receive the ransomware code and infrastructure, paying 20-30% of the ransom to the group. Initial Access Brokers (IAB) separately sell access to corporate networks  &#8211;  attackers simply purchase the access.<\/p>\n<p>The result: attacks become more efficient and targeted. Before deploying ransomware, attackers typically spend weeks inside the network  &#8211;  collecting data, identifying backups, and escalating privileges.<\/p>\n<h2>LockBit Takedown and What It Shows<\/h2>\n<p>In February 2024, Operation Cronos by Europol, FBI, and NCA seized the LockBit infrastructure. Websites went offline, decryption keys were secured, and arrests were made. A significant blow  &#8211;  but LockBit was active again within weeks.<\/p>\n<p>The lesson: ransomware groups are resilient. The technical infrastructure can be seized, but the knowledge, relationships, and money remain. Prevention is more important than waiting for law enforcement successes.<\/p>\n<h2>Incident Response in an Emergency: What Now Applies<\/h2>\n<p><strong>First 24 hours:<\/strong> Isolate systems (do not shut down  &#8211;  preserve forensic evidence), activate IR service providers, inform BSI\/CERT-Bund. Check reporting obligations under NIS2 and DSGVO.<\/p>\n<p><strong>Negotiation:<\/strong> Do not conduct it alone. Specialized firms (e.g., Coveware, Kivu, German IR firms) know the attackers and understand how negotiations realistically end. They also provide assessments of the seriousness of decryption.<\/p>\n<p><strong>Pay or not:<\/strong> A purely economic decision with risks on both sides. Restoring backups without paying often takes longer but can be technically feasible. Paying funds future attacks  &#8211;  that is also a consideration.<\/p>\n<h2>Key Facts at a Glance<\/h2>\n<p><strong>Average Ransom Demand in 2023:<\/strong> ~1.5 million USD (Sophos State of Ransomware 2024)<\/p>\n<p><strong>Companies that pay:<\/strong> 56% of affected companies pay (Sophos 2024)<\/p>\n<p><strong>Data recovery rate after payment:<\/strong> 65% get all their data back<\/p>\n<p><strong>Average downtime:<\/strong> 24 days until full recovery<\/p>\n<p><strong>LockBit takedown:<\/strong> February 2024 through Operation Cronos (Europol\/FBI)<\/p>\n<p><strong>Fact:<\/strong> The average downtime after a ransomware attack is 23 days, according to Sophos.<\/p>\n<p><strong>Fact:<\/strong> The average damage from a ransomware attack in 2024 was $1.54 million, according to Coveware.<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>What is Ransomware-as-a-Service (RaaS)?<\/h3>\n<p>RaaS is a business model where ransomware developers rent out their code and infrastructure to &#8220;affiliates.&#8221; The affiliates carry out attacks and pay a share of the ransom to the developers. This drastically lowers the technical barrier to entry.<\/p>\n<h3>Should you pay the ransom?<\/h3>\n<p>This is an individual decision with many factors: availability of backups, type of stolen data, reputation, insurance coverage. Paying is not forbidden in the EU but funds criminal activities. Not paying can lead to data publication.<\/p>\n<h3>What is an Initial Access Broker?<\/h3>\n<p>IABs are specialized attackers who sell access to corporate networks  &#8211;  without deploying ransomware themselves. They buy or steal access data and distribute it on the darknet. Ransomware groups purchase these accesses as a &#8220;starting point.&#8221;<\/p>\n<h3>How does network segmentation protect against ransomware?<\/h3>\n<p>Ransomware spreads laterally within the network. Segmentation (VLANs, micro-segmentation, zero-trust network) prevents a compromised endpoint from infecting the entire network. Keeping backups in an isolated segment is also critical.<\/p>\n<h3>What should a ransomware response plan include?<\/h3>\n<p>Clear roles (who decides?), contacts with IR service providers and BSI, communication plan (internal, external, media), technical playbooks for isolation and forensics, and regular exercises (tabletop exercises).<\/p>\n<h2>Related Articles<\/h2>\n<p>\u2192 <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/02\/18\/post_id-3523\/\">Ransomware 2026: Incident Response in the First 60 Minutes<\/a><\/p>\n<p>\u2192 <a href=\"https:\/\/www.securitytoday.de\/en\/2024\/12\/19\/post_id-3351\/\">What Was Important in Cybersecurity in 2024<\/a><\/p>\n<h2>Further Reading on the Network<\/h2>\n<p>Digital Resilience: <a href=\"https:\/\/www.mybusinessfuture.com\" target=\"_blank\" rel=\"noopener\">mybusinessfuture.com<\/a><\/p>\n<p>Cloud Security: <a href=\"https:\/\/www.cloudmagazin.com\" target=\"_blank\" rel=\"noopener\">cloudmagazin.com<\/a><\/p>\n<h2>Related Articles<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/02\/18\/post_id-3523\/\">Ransomware 2026: Incident Response in the First 60 Minutes<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2023\/08\/23\/post_id-3274\/\">BKA Report: Threat from Phishing and Ransomware Remains Very High<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2023\/07\/11\/post_id-3578\/\">MOVEit Attack 2023: What the Biggest Supply-Chain Hack of the Year Teaches Us<\/a><\/li>\n<\/ul>\n<p style=\"text-align: right;\"><em>Header Image Source: Pexels \/ Antoni Shkraba Studio<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Ransomware in 2024 is no longer just a simple encryption attack. Leading groups &#8211; LockBit, ALPHV\/BlackCat, Cl0p &#8211; operate like businesses: with HR departments, support ticket systems, and contractually regulated affiliate programs. Underestimating them as &#8220;script kiddies&#8221; will lead to severe consequences. TL;DR Triple Extortion becomes standard: Encrypt + steal data + threaten DDoS as [&hellip;]","protected":false},"author":55,"featured_media":3586,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"ransomware","_yoast_wpseo_title":"Ransomware 2024: New Tactics, Bigger Targets, Tougher Negotiations","_yoast_wpseo_metadesc":"Ransomware 2024: Discover how cybercriminals use advanced tactics to target businesses\u2014learn defenses and negotiation strategies. Stay protected now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":["post_id-3587"],"footnotes":""},"categories":[251],"tags":[233],"class_list":["post-7303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-ransomware"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":3587,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7303"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7303\/revisions"}],"predecessor-version":[{"id":10036,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7303\/revisions\/10036"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/3586"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}