2024 proved to be a tumultuous year in the cybersecurity world, marked by significant ransomware attacks and the rise of new, aggressive threat actors. While the takedown of prominent groups like ALPHV/BlackCat and disruptions to LockBit initially seemed promising, the ransomware-as-a-service (RaaS) model demonstrated remarkable resilience. This report analyzes the Top 10 most active ransomware groups of 2024, offering critical insights for enterprise businesses to bolster their defenses against these evolving cyber threats. The data compiled here comes from various reputable sources including Ransomware.live, RansomLook, Corvus Insurance, and Recorded Future.
The Shifting Sands of the Ransomware Ecosystem: A 2024 Retrospective
The year began with high hopes following law enforcement successes. However, the RaaS model quickly proved its adaptability. The disruption of major players led to a redistribution of affiliates, with some joining existing groups like Play and Akira, while others formed entirely new ransomware operations.
This dynamic landscape resulted in a peak in ransomware activity in November, although differing sources report conflicting data on the exact peak month. Corvus Insurance reported November as the month with the highest number of claimed victims in history, while Ransomware.live maintained that July 2023 still held the record with 907 claimed victims. Regardless of the exact peak month, the overall trend points to a persistent and evolving ransomware threat.
Top 10 Ransomware Gangs of 2024: A Detailed Look
Below, we delve into the Top 10 most active ransomware groups of 2024, providing crucial details on their operations and impact.
1. RansomHub: The Speed Demons of Ransomware
- Other names: N/A
- Appeared: February 2024
- Claimed victims in 2024: 593
- Claimed victims overall: 593
Launched on the Russian-language hacking forum RAMP, RansomHub quickly gained notoriety. Its 90/10 affiliate split proved attractive, and notably, affiliates from the dismantled ALPHV/BlackCat (Scattered Spider group) joined its ranks. This influx, along with its versatility across various platforms (Windows, Linux, ESXi, ARM, and MIPS architectures), propelled RansomHub to surpass LockBit as the most prolific RaaS brand in October 2024, significantly contributing to the November surge in claimed victims (98 claims that month alone, according to Corvus Insurance). The speed and efficiency of RansomHub’s operations are what made it stand out.
2. Play: The Master Exploiters
- Other names: PlayCrypt
- Appeared: June 2022
- Claimed victims in 2024: 362
- Claimed victims overall: 716
Initially targeting Latin American entities, Play expanded its reach globally. Its expertise lies in exploiting supply chain vulnerabilities in widely used software like Fortinet, Citrix, and VMware’s ESXi. A connection to Prolific Puma, known for its domain generation algorithms and link-shortening services for cybercriminals, further highlights Play’s sophisticated evasion techniques. Play’s success stems from its ability to leverage known vulnerabilities before many organizations even know they exist.
3. Akira: The Conti Legacy Continues
- Other names: N/A
- Appeared: March 2023
- Claimed victims in 2024: 291
- Claimed victims overall: 454
Emerging from the ashes of the dissolved Conti ransomware group, Akira exhibits strong ties to its predecessor’s infrastructure and operational methods. Code overlap with Conti and shared wallet addresses confirm this connection. Furthermore, threat intelligence firm RedSense linked Akira to Zeon, a former Conti affiliate outsourcing its skills to both LockBit and Akira. Akira’s collaborations with other ransomware operations, such as Snatch and BlackByte, demonstrate its network and reach. Akira’s persistence and strategic alliances are key to its continued success.
4. Hunters International: Capitalizing on the Hive’s Demise
- Other names: Hunters
- Appeared: Late 2023
- Claimed victims in 2024: 227
- Claimed victims overall: 252
Hunters International emerged after the takedown of the Hive ransomware group, acquiring its source code, website, and older code versions. They addressed vulnerabilities that previously hindered file decryption and prioritized data theft over encryption. This strategic shift reflects a growing trend in the ransomware landscape. Hunters International’s opportunistic approach and focus on data exfiltration make it a significant threat.
5. Medusa: The Masters of Online Deception
- Other names: N/A
- Appeared: Late 2022
- Claimed victims in 2024: 212
- Claimed victims overall: 357
Medusa stands out for its unusual online presence, blending dark web activities with a surprisingly visible clear web identity (“OSINT without borders”). This dual approach, though seemingly contradictory, allows for sophisticated disinformation and obfuscation. Bitdefender highlighted the links between Medusa’s data leak site, a Telegram channel, and the “OSINT without borders” brand, suggesting a deliberate strategy to confuse investigators and maintain operational security. Medusa’s clever use of online personas makes it a unique and challenging adversary.
6. Qilin: The Credential Thieves
- Other names: Agenda
- Appeared: July 2022
- Claimed victims in 2024: 179
- Claimed victims overall: 230
Qilin (also known as Agenda) employed an unusual tactic in August 2024: mass theft of credentials stored in Google Chrome browsers. This credential harvesting extends the impact of ransomware attacks far beyond the initial victim, potentially compromising numerous connected organizations. This technique demonstrates Qilin’s strategic thinking and ability to exploit vulnerabilities beyond simple data encryption. Qilin’s focus on credential theft represents a significant evolution in ransomware tactics.
7. BlackBasta: A Conti Offshoot
- Other names: N/A
- Appeared: April 2022
- Claimed victims in 2024: 176
- Claimed victims overall: 507
BlackBasta’s origins trace back to the defunct Conti group, sharing similarities in malware development, leak sites, and negotiation methods. Links to the FIN7 group are also suspected due to shared EDR evasion modules and C2 infrastructure. BlackBasta’s sustained activity and connections to other notorious groups highlight the enduring threat posed by Conti’s legacy. BlackBasta’s persistence and connections to other cybercriminal groups make it a formidable threat.
8. BianLian: Data Extortion, No Encryption
- Other names: N/A
- Appeared: December 2021
- Claimed victims in 2024: 166
- Claimed victims overall: 518
BianLian, primarily targeting healthcare and manufacturing in Europe and North America, notably shifted its tactics from double extortion (encryption and data theft) to pure data extortion. This change reflects a growing trend toward focusing solely on data theft to pressure victims into paying ransoms. BianLian’s streamlined approach increases efficiency and reduces the risk of decryption failures.
9. INC Ransom: Targeting Without Limits
- Other names: INC, Inc. Ransom, Lynx
- Appeared: July 2023
- Claimed victims in 2024: 162
- Claimed victims overall: 208
INC Ransom presents itself as offering a service, ironically claiming to improve its victims’ security. However, its targets are indiscriminate, including even a children’s hospital. The similarity of its data leak site to LockBit’s suggests potential connections. Researchers believe Lynx, a newer group, is a rebranding of INC Ransom. INC Ransom’s brazen targeting and deceptive marketing highlight its audacity and disregard for ethical boundaries.
10. BlackSuit: A Royal Resurgence
- Other names: Royal
- Appeared: April/May 2023
- Claimed victims in 2024: 156
- Claimed victims overall: 175
BlackSuit is believed to be a rebranding of Royal Ransomware, a highly active group in 2022. CISA noted its use of legitimate software and open-source tools during attacks, showcasing its ability to blend in and evade detection. BlackSuit’s strategic use of readily available tools underscores its adaptability and resourcefulness.
Bonus: LockBit 3.0 – The Persistent Threat
- Other names: LockBit Black
- Appeared: March 2022
- Claimed victims in 2024: 534
- Claimed victims overall: 1973
Despite significant disruption in February 2024 following Operation Cronos, LockBit remained a major player, largely due to the leak of LockBit 3.0 in the fall of 2022. This leak enabled numerous unaffiliated cybercriminals to utilize the ransomware, sustaining its impact despite law enforcement efforts. LockBit’s resilience underscores the challenges in combating ransomware, even with significant law enforcement intervention.
Addressing the Continued Threat of Ransomware in 2025 and Beyond
The year 2024 served as a stark reminder of the persistent and evolving nature of ransomware attacks. While the takedown of prominent groups like ALPHV/BlackCat and LockBit initially provided a sense of relief, the reality is that the ransomware-as-a-service (RaaS) model proved remarkably resilient. The shift in affiliates, the emergence of new players, and the adaptation of existing groups highlight the need for a proactive and dynamic approach to cybersecurity.
The data presented in this analysis, sourced from reputable organizations such as Ransomware.live, RansomLook, Corvus Insurance, and Recorded Future, paint a clear picture of the evolving threat landscape. The rise of RansomHub, the continued activity of groups like Play and Akira, and the emergence of new players such as Hunters International underscore the need for constant vigilance.
The tactics employed by these groups also highlight the need for a multi-layered approach to security. The exploitation of vulnerabilities in widely used software, the shift towards data extortion without encryption, and the use of stolen credentials demonstrate the creativity and adaptability of cybercriminals.
For enterprise businesses, the implications are significant. A robust cybersecurity strategy is no longer a luxury but a necessity. This includes:
- Regular Software Updates: Patching vulnerabilities promptly is critical to preventing initial compromise.
- Strong Password Policies and Multi-Factor Authentication (MFA): These measures significantly increase the difficulty for attackers to gain access to systems.
- Employee Security Awareness Training: Educating employees about phishing scams and other social engineering tactics is essential to preventing human error, a common entry point for attackers.
- Network Segmentation: Dividing the network into smaller, isolated segments limits the impact of a successful attack.
- Regular Data Backups: Maintaining offline backups ensures business continuity in the event of a ransomware attack.
- Incident Response Planning: Having a well-defined incident response plan in place allows for a swift and effective response to a cyberattack.
- Advanced Threat Detection and Response Solutions: Investing in advanced security technologies can help detect and respond to threats more effectively.
The fight against ransomware is far from over. The continued evolution of ransomware tactics and the emergence of new threat actors demand a proactive and adaptable approach to cybersecurity. International cooperation, continuous innovation in defense strategies, and a commitment to staying ahead of the curve are crucial in mitigating the impact of ransomware in the years to come. Enterprise businesses must remain vigilant and invest in comprehensive cybersecurity solutions to protect themselves from these ever-evolving threats.
Conclusion
The ransomware threat landscape remains dynamic and unpredictable. The rise and fall of specific groups highlight the need for continuous vigilance and adaptation in enterprise cybersecurity strategies. The resilience of RaaS and the emergence of new tactics demand proactive measures, including robust security protocols, employee training, and international cooperation to effectively combat these persistent cyber threats.
FAQs
Q: What were the top 10 ransomware groups in 2024?
A: The top 10 ransomware groups in 2024, based on reported activity, included RansomHub, Play, Akira, Hunters International, Medusa, Qilin, BlackBasta, BianLian, INC Ransom, and BlackSuit. LockBit 3.0 also deserves mention due to its continued impact despite law enforcement efforts.
Q: How can enterprise businesses protect themselves from Top 10 Ransomware attacks?
A: Robust cybersecurity measures are crucial. This includes regular software updates, strong password policies, multi-factor authentication, employee security awareness training, network segmentation, data backups, and incident response planning. Investing in advanced threat detection and response solutions is also highly recommended.
Q: What are the latest trends in Top 10 Ransomware attacks?
A: Current trends include the continued prevalence of RaaS, shifting tactics (like BianLian’s move to data extortion without encryption), and the exploitation of supply chain vulnerabilities. The use of stolen credentials (as seen with Qilin) and the adaptability of groups to law enforcement actions are also significant trends.
