Data theft dominated cyberattacks in 2024 while ransomware protection became harder

Cybercrime is changing fast. If you’re running a business today, ransomware is a business risk, a financial drain, and a strategic challenge. Attacks are no longer locking files and demanding ransom; they’re stealing, exposing, and weaponizing data against you.

Data theft as the primary driver of cyberattacks

Ransomware used to be about encryption. That’s changed. Now, the primary goal isn’t just to lock your systems, it’s to steal your data and use it as leverage. Attackers know that businesses fear exposure more than downtime. If sensitive customer data, trade secrets, or financial records are stolen, the damage is far worse than just a locked system.

This shift is why 94% of cyberattacks in 2024 involved data theft, according to BlackFog’s 2024 Ransomware Trend Report. And here’s the kicker: companies hit by undisclosed exfiltration attacks lost an average of 592 GB of data per incident.

“If an attacker gets in, how easy is it for them to move sensitive data out? If that’s not a question you can answer, it’s time to rethink your security architecture.”

The rising financial cost of ransomware

Ransomware is an expensive problem. The average cost of a ransomware attack involving data theft in 2024 was $5.21 million, according to IBM’s Cost of a Data Breach report.

That number includes system restoration, regulatory fines, legal fees, lost productivity, and brand damage. Paying the ransom is often the least of your concerns.

For executives, the key takeaway is this: cybersecurity is a bottom-line issue. The cost of prevention is always lower than the cost of recovery.

A common mistake? Assuming insurance will cover it. Many policies now exclude ransomware payments, and even when they don’t, premiums are skyrocketing. The best financial strategy isn’t to rely on payouts, it’s to avoid getting hit in the first place.

Attackers are exploiting legitimate enterprise tools

Cybercriminals are smart. They know security software looks for anomalies, so they’re using trusted enterprise tools against companies instead. This makes attacks harder to detect and much harder to stop.

One example? PowerShell was used in 56% of ransomware cases in 2024, according to BlackFog’s report. Attackers are also targeting VMware ESXi servers with ransomware designed to both copy and encrypt data at the same time.

For business leaders, this changes the security conversation. Traditional antivirus software won’t stop these kinds of attacks because the tools being exploited are legitimate. That means security needs to be built around behavior detection, not just signature-based defenses.

If you haven’t already, now is the time to audit how enterprise tools are being used within your organization. Who has access? What is being logged? How quickly can an unusual action be flagged and investigated? If you don’t have clear answers, attackers will find the gaps before you do.

Critical industries are prime targets

“Not all businesses are equally at risk. Cybercriminals go after targets where downtime costs the most, because those companies are the most likely to pay up.”

In 2024, the most targeted industries for undisclosed ransomware attacks were manufacturing, services, and technology. These sectors operate on thin margins, high data complexity, and require 24/7 uptime.

For disclosed attacks, the biggest victims were healthcare, government, and education, accounting for 47% of ransomware-related headlines. The biggest surge? Retail, with a 96% increase in reported ransomware incidents, affecting major brands like Starbucks, Sainsbury’s, Morrisons, London Drugs, and Krispy Kreme.

If you’re in one of these industries, assume you’re already a target. Cybercriminals are running businesses too, and they go where the money is. That means proactive cybersecurity spending is no longer optional. The alternative? Paying in downtime, lost revenue, and public humiliation.

Ransomware groups are growing faster than law enforcement can keep up

Law enforcement agencies are working hard to shut down ransomware groups. But here’s the truth: it’s not working fast enough.

Take LockBit, the most active ransomware group of 2024. They hit 603 victims, even after a February 2024 takedown led by the U.K. National Crime Agency, the FBI, and other global agencies. The operation disabled LockBit’s ransomware-as-a-service platform, but within days, the group was back online under a new dark web domain.

Even with crackdowns, payments to LockBit dropped 79% in the second half of 2024, according to Chainalysis. That’s good news, but the bad news? New groups are filling the void fast.

RansomHub, for example, emerged in 2024 and quickly took second place in attack volume, hitting major firms like Kawasaki and Halliburton. Medusa and Play followed close behind.

The key lesson for executives? Law enforcement won’t save you. These groups are decentralized, adaptive, and constantly rebuilding. If you don’t have a strategy that assumes an attack is coming, you’re already behind.

AI is fueling the next wave of ransomware groups

“AI is making ransomware attacks easier to launch, harder to detect, and more scalable than ever before.”

According to Cyberint, Q2 2024 saw the highest number of active ransomware groups in history. BlackFog’s data confirms that 48 new ransomware groups emerged in 2024, a 65% increase over the previous year.

Why? Because AI is removing the skill barrier. Attackers don’t need deep technical expertise anymore. AI can write malware, automate phishing attacks, and even mimic human behavior to bypass security systems.

The U.K.’s National Cyber Security Centre has already warned that AI-driven ransomware will increase exponentially. That means businesses need to upgrade their defenses at the same rate that attackers are upgrading their tactics.

If you’re still relying on manual detection or legacy systems, you’re playing defense against an automated offense. That’s not a fight you’ll win.

Final thoughts

Ransomware isn’t slowing down. It’s evolving, fast. Attacks are more sophisticated, more targeted, and more damaging than ever before. Law enforcement can’t stop them. Insurance won’t save you. The only way forward is proactive defense and strategic investment in cybersecurity.

If you’re making decisions at the top, here’s what you need to do: