Cyber extortion victims grow by 77%, with small businesses impacted four times more often than medium and large businesses combined, reveals Orange Cyberdefense

• Over the past 12 months, 60 distinct threat actors impacted 4 374 new victims.
• Cyber extortion is a worldwide issue, with businesses in 75% of all countries directly impacted since 2020, and 118 countries impacted in the last year alone.
• The healthcare and social assistance industry increasingly becoming a victim, experiencing the highest growth (+160% YOY).
• The impact GenAI may have on the cyber extortion threat is yet to be seen, concerns that it will enable the threat ecosystem to globalise.

Cy-X continues to spread across the globe.

---

Orange Cyberdefense, the specialist arm of the Orange Group dedicated to cyber security, this week released its latest cyber extortion report, the Cy-Xplorer 2024. Examining data from a total of 11 244 confirmed business victims, the findings show a steep increase (77% YOY) in the number of observable cyber extortion (Cy-X) victims over the past 12 months, with analysis suggesting the actual number to be 50%-60% higher than what we directly observe, due to the dynamic and ever-changing nature of the cyber extortion ecosystem.

Cy-X is continuing to spread across the globe with victims recorded in 75% of countries since 2020. The USA, Canada and Great Britain have consistently recorded the highest number of victims, indicating that economy size, language and business “culture” are key factors shaping the regional demographics of our victim dataset. Aside from being the most impacted region, the USA has also seen the fastest growth at 108%, followed closely by Great Britain and Canada at 96% and 76%, respectively. Other prominent growth regions included the Nordics and Africa, with growth rates of 78% and 100%, although off much lower starting bases.

While the term “big game hunting” is often seen in reference to targeted and sophisticated attacks against large, high-value targets, we have observed patterns of behaviours that suggest a much more opportunistic approach for most threat groups when it comes to Cy-X. As a result, we have observed that small businesses with less than 1 000 employees are 4.2 times more likely to be impacted by Cy-X than medium and large businesses. We suggest that this is simply because there are so many more small businesses that get swept up in the “harvest” as attackers attempt to hit whoever they can.

Businesses in the manufacturing industry continued to be the most impacted globally by Cy-X (21%). However, in the past 12 months, for the first time, we saw healthcare and social assistance industries join the three most impacted sectors, seeing the highest growth rate at 160% YOY. Historically, through the COVID-19 crisis, and up until recently, threat actors have shown some degree of "moral restraint", with healthcare being an industry that attackers explicitly avoided due to their moral compass and fear of political consequences. However, it appears to suggest that even this fragile political finesse is fading as this worrisome trend picks up pace. For instance, LockBit took credit for compromising two significant US healthcare institutions – Carthage Area Hospital and Claxton-Hepburn Medical Center, among others, and the ALPHV/BlackCat group claimed a significant attack on Change Healthcare. There are further examples in the full report.

Our research has found over 200 occurrences of re-victimisation, which has been on an upward trajectory since 2023 and appears to be accelerating. In Q1 2024, there have already been 39 re-victimisations and this trend is expected to continue, with our research finding some victims posted up to three times on a dedicated leak site. Additionally, there are incidents of victims being posted by different threat actors with a long delay between them, indicating an active attempt to re-attack and extort victims anew.

Our data suggests that AI is not significantly impacting Cy-X. The concerns for GenAI are instead that it could allow the threat ecosystem to globalise – by providing the language and cultural tools attackers need to reach across language and cultural barriers that have, until now, potentially shielded some economies from greater impacts.

Despite the takedown and disruption of prominent cyber extortion groups such as RagnarLocker, ALPHV/BlackCat, and LockBit by law enforcement, there has been no noticeable decrease in victim count. The research has shown the general volatility of the Cy-X actor ecosystem, showing one-third of all actors we track will “disappear” each year, while an equivalent number of new actors are identified annually. It also suggests half of all identified threat actors will disband or rebrand in under six months.

“We are seeing a measured rise in the pace at which law enforcement is responding to meet the Cy-X threat, but as victim numbers surge at an alarming rate, with new tactics being deployed and moral restraints dwindling, it’s an ongoing battle that’s further complicated by the decentralised and fragmented ecosystem,” said Hugues Foulon, CEO at Orange Cyberdefense. “Small businesses are increasingly falling victim to the crime and we see a real need for all organisations to join forces and play their part by working together and taking actions that will increase the cost for attackers.”

“The emergence and acceleration of re-victimisation is a concerning trend that we are following closely. While perceived as an unsophisticated crime, the impact is profound and exposes organisations to several forms of harm as they remain in the grip of the criminal ecosystem,” said Diana Selck-Paulsson, Lead Security Researcher at Orange Cyberdefense. “Cyber crime is borderless and as threats continue to evolve alongside the emergence of new technologies such as GenAI, we must continue to adapt and be prepared for the globalisation of the threat ecosystem.”

Orange Cyberdefense has been consistently tracking cyber extortion activity since 2020 and has collected information on over 11 200 victims to date. The full methodology can be found in the report here.

Orange Cyberdefense will be hosting an exclusive webinar “It’s not ransomware, it’s extortion” unpacking the report’s key findings on Monday the 8 of July at 3 PM SAST.

To join this briefing or to be sent the recording – visit https://www.orangecyberdefense.com/za/insights/events/its-not-ransomware-its-extortion