The past year was expected to be a watershed for the ransomware ecosystem, with the removal of ALPHV/BlackCat in late 2023 and the disruption of the LockBit syndicate in early 2024.
While these law enforcement takedowns had a negative impact on ransomware activity for a while, the ransomware-as-a-service (RaaS) landscape proved its resilience.
Shortly after some of the biggest law enforcement agencies, activity from other established ransomware brands like Play and Akira appeared to pick up, perhaps due to affiliates moving away from vulnerable groups, while new groups emerged.
Ransomware activity peaked in November, with Corvus Insurance analysts claiming the month the highest number of alleged ransomware victims in history. Other sources, such as the ransomware tracking website Ransomware.live, believe that no monthly ransomware claims in 2024 topped the 907 claimed in July 2023.
The Best Ransomware Gangs of 2024
Information security selected the 10 most active ransomware groups in the past year and collected data from multiple sources, including Ransomware.live, RansomLook, Corvus Insurance, and Recorded Future, among others.
RansomHub: Move fast and break things
- Other names: N/A
- Appeared in: February 2024
- Harvested victims 2024: 593
- Total casualties claimed: 593
On February 2, 2024, a user named ‘koley’ announced a new ransomware affiliate program under the name RansomHub on the Russian-language hacking forum RAMP. The split of each loot would be 90% of the value for the affiliate and 10% for the developer.
According to ‘koley’, RansomHub ransomware is designed to be versatile to compromise a wide range of platforms, including Windows, Linux and ESXi, as well as architectures such as ARM and MIPS.
In June, it was reported that operators of the Scattered Spider group, responsible for a number of high-profile ransomware incidents affecting large organizations in the past year, including MGM International, Caesar’s entertainment and Okta, left the disrupted ALPHV/BlackCat to join RansomHub.
Affiliates of RansomHub reran LockBit as the most prolific RaaS brand in October and largely contributed to an increase in ransomware claims in November, with 98 claims that month alone, according to Corvus Insurance.
Play: Going Hard on Exploits
- Other names: PlayCrypt
- Appeared in: June 2022
- Harvested victims 2024: 362
- Total casualties claimed: 716
Play Ransomware emerged in 2022 with attacks on Latin American devices, but the group has targeted organizations in a wide range of countries since then.
The group’s preferred mechanism for initially compromising its goals is through vulnerability exploitation, focusing on exploiting supply chain vulnerabilities in common or security software used by many organizations, such as Fortinet, Citrix and VMWare’s ESXi.
A July 2024 Trend Micro report revealed a connection between Play and Prolific Puma, a group known for generating domains using random algorithms and offering link shortening services to cybercriminals to avoid detection.
Akira: The True Conti Heirs
- Other names: N/A
- Appeared in: March 2023
- Harvested victims 2024: 291
- Total casualties claimed: 454
In February 2023, the Conti ransomware group disbanded following internal conflicts between pro-Russian and Ukrainian members. Quickly, several affiliates migrated to other groups, such as Royal, BlackBasta and others.
Akira is one of those groups and probably one that has more ties to Conti’s infrastructure than any other group. According to cybersecurity provider Qualys, Akira has code overlap with Conti and operators who commingled funds with Conti-connected wallet addresses. After LockBit’s fall, threat intelligence firm RedSense identified Zeon as a former Conti affiliate group that has outsourced its skills to LockBit and Akira.
Akira’s affiliates also work with other ransomware operations, such as Snatch and BlackByte. In November 2024, Akira seemingly ramped up its activity, with 73 claimed victims that month alone, according to data from Corvus Insurance.
Hunters International: Building on the Hive Demise
- Other names: Hunter
- Appeared in: Late 2023
- Harvested victims 2024: 227
- Total casualties claimed: 252
In mid-October 2023, a few days before the removal of the Hive ransomware group, the group’s infrastructure source code was sold, along with its website and older versions of the source code.
Hunters International claimed to have purchased the package and fixed the vulnerabilities responsible for preventing file decryption in some cases. The group also stated that it would prioritize data theft over file encryption.
Medusa: All PR is good PR
- Other names: N/A
- Appeared in: Late 2022
- Harvested victims 2024: 212
- Total casualties claimed: 357
Medusa may be seen as just another RaaS group using traditional data extortion tactics, but its online presence stands out.
Medusa’s online presence is an unusual mix of dark and clear web activities. Notably, Medusa operatives have a clear web identity, “OSINT without Borders”, along with profiles linked to “Robert” under various surnames, on a dedicated website and on social media platforms such as X and Facebook.
Although Medusa tries to present these entities as separate, many connections suggest otherwise.
Cybersecurity firm Bitdefender explained, “Medusa’s official data breach site links to a Telegram channel that shares the same logo as ‘OSINT without Borders,’ and the site’s owner often refers to Medusa in ways that suggest a close connection.”
Qilin: Password Hungry
- Other names: Agenda
- Viewed in: July 2022
- Harvested victims 2024: 179
- Total casualties claimed: 230
Qilin has been active since at least July 2022 and is also known as Agenda.
In August 2024, the group was observed by the Sophos X-Ops team to conduct a mass theft of credentials stored in Google Chrome browsers on a subset of network endpoints – a credential harvesting technique with potential implications far beyond the original victim’s organization.
This is an unusual tactic and one that could be a bonus multiplier for the chaos that already exists in ransomware situations, Sophos said.
BlackBasta: Another Conti Descendant
- Other names: N/A
- Viewed in: April 2022
- Harvested victims 2024: 176
- Total casualties claimed: 507
BlackBasta’s core members are believed to have originated from the now-defunct Conti threat actor group, given the similarities in their malware development techniques, leak sites, and methods of negotiation, payment and data recovery.
Additionally, BlackBasta has been associated with the FIN7 threat group due to the similarity in their custom endpoint detection and response (EDR) modules and the shared use of IP addresses for command and control (C2) operations.
BlackBasta was the second most active ransomware group after LockBit in the first quarter of 2024according to ReliaQuest data.
BianLian: Extortion without encryption
- Other names: N/A
- Viewed in: December 2021
- Harvested victims 2024: 166
- Total casualties claimed: 518
Operating since late 2021, BianLian primarily targets healthcare and manufacturing entities in Europe and North America.
In a notable change, BianLian has recently moved from a dual extortion system to one of extortion without encryption.
Instead of encrypting their victims’ assets before stealing the data and threatening to publish it if they don’t pay the ransom, the group now goes straight to steal data to motivate victims to pay.
INC Solution: No Limits
- Other names: INC, Inc. Ransom, Lynx
- Appeared in: July 2023
- Harvested victims 2024: 162
- Total casualties claimed: 208
INC Ransom positions itself as offering a service to its victims, claiming that it makes the victim’s environment “safer” as a result of its attacks.
However, the group appears to know no bounds in the entities it targets, with some of its latest claimed victims including a children’s hospital near Liverpoolin Great Britain.
Notably, INC’s user interface for data leaks looks like LockBits.
Palo Alto Networks researchers believe that Lynx, a new ransomware group that appeared in October 2024, is a rebrand of INC Ransom.
BlackSuit: A Royal Rebrand
- Other names: King
- Appeared in: April/May 2023
- Harvested victims 2024: 156
- Total casualties claimed: 175
First discovered in early 2023, BlackSuit is believed to be a rebrand of Royal Ransomware, one of the most active ransomware groups in 2022.
The US Cybersecurity and Infrastructure Security Agency (CISA) reported that one of the Royal/BlackSuits signature tactic was to use legitimate software and open source tools during ransomware operations.
Bonus – LockBit 3.0: The One That Got Away
- Other names: LockBit Black (for this version)
- Appeared in: March 2022 (for this version)
- Harvested victims 2024: 534
- Total casualties claimed: 1973
Although it was heavily disrupted in February 2024 after Operation Cronosa global law enforcement operation led by Britain’s National Crime Agency (NCA) and the FBI, LockBit remained the most active ransomware group in May 2024according to NCC Group.
The reason for this may come from a quick response from The LockBit administrators. However, this is mostly due to the fact that LockBit 3.0 was leaked in the fall of 2022 by the group’s disgruntled developers. This has led to many cybercriminals without any formal relationships with LockBit use LockBit 3.0 to endanger their victims.
Conclusion
As we close the chapter on 2024, it is clear that the ransomware landscape remains as dynamic and unpredictable as ever. The decline of once-dominant groups such as ALPHV/BlackCat and LockBit has not diminished the overall threat, as new and existing players continue to adapt and evolve. The resilience of the ransomware-as-a-service model ensures that even significant law enforcement efforts provide only temporary relief.
As we look ahead to 2025, the cybersecurity community must remain vigilant. The rise of new groups like RansomHub and the shifting alliances within the ransomware ecosystem suggest that the fight against these cyber threats is far from over. Continued innovation in defense strategies and international cooperation will be critical to mitigating the impact of ransomware in the coming year.