Top 10 Ransomware Groups to Monitor
09/25/24
The ransomware landscape is evolving, with groups frequently shutting down or splintering due to law enforcement actions or internal conflicts. Ransomware-as-a-service (RaaS) depends on affiliates for attacks, leading to intense competition.
Key Groups in 2024
- LockBit 3.0
Active since 2019, topped ranks by 2023, but disrupted by international law enforcement in 2024. Despite a decline, LockBit remained active, maintaining a leading position with experienced members and significant victim numbers through mid-2024. - Play
Play, also known as Playcrypt, emerged in 2022, benefiting from the collapse of larger groups like Conti and BlackCat. It employs double extortion by encrypting and stealing data to threaten public release. As of mid-2024, Play ranked high for the number of victims, following closely behind LockBit, according to Palo Alto Networks and Zscaler reports. - 8Base
Emerged in 2022, uses a customized Phobos encryptor. Targets various industries, focusing on small businesses. This double-extortion ransomware group ranked third in ransomware activity in the first half of the year. 8Base primarily gains access through phishing scams and employs various hacking tools like Mimikatz and SmokeLoader. - Akira
Appeared in 2023, possibly linked to Conti. Uses stolen credentials and exploits vulnerabilities. As of mid-2024, Akira affected 119 victims, ranking third in activity behind RansomHub and LockBit according to Palo Alto Networks and NCC telemetry. - Black Basta
Active since 2022, carefully selects targets. Involves former Conti and REvil members. It has targeted over 500 organizations with 114 listed victims this year. Uniquely selective, it avoids broad attacks, instead using spear-phishing, network access purchases, and insider recruits for information. Believed to include former Conti and REvil members, the group operates with experienced cybercriminals. - BlackByte
Another Conti offshoot, more active than publicly reported. Although it does not have a high number of publicly disclosed victims, recent Cisco Talos research indicates that BlackByte is more active than previously thought, with only 20% to 30% of its successful breaches listed on its data leak site. - RansomHub
RansomHub, a new Ransomware-as-a-Service (RaaS) operation since February 2024, quickly rose in ranks, becoming a top ransomware group by July. It has over 210 victims, using a variant of Knight ransomware. Offering a 90% affiliate commission, RansomHub attracts experienced cybercriminals. It exploits vulnerabilities like Citrix ADC and Fortinet FortiOS for access, using tools such as SocGolish malware, Mimikatz, and Cobalt Strike. - Hunters International
Hunters International, a ransomware group that appeared in October 2023, shows significant code similarities to the dismantled Hive group. Claiming to have acquired and improved Hive’s source code, Hunters International is suspected by some researchers to be a rebranding of Hive. By April, they had 97 victims, with increasing activity ranking them fourth in attack numbers by July. - Medusa
This Ransomware-as-a-Service (RaaS) operation began in late 2022, gained prominence in 2023. Medusa affiliates exploit vulnerabilities in public-facing systems and use access brokers. They employ living-off-the-land tactics, utilizing system utilities for lateral movement. According to Palo Alto Networks, Medusa compromised 103 organizations in the first half of 2024. - DragonForce
DragonForce, a newcomer in 2024, is quickly gaining attention in the ransomware space. Known for unique extortion tactics, including calling victims and publishing recordings, DragonForce uses a ransomware program based on leaked LockBit 3.0 code. They exploit networks through phishing and compromised RDP and VPN credentials, though there is no direct connection to LockBit other than the use of the leaked builder.
As the ransomware landscape continues to evolve, staying informed about emerging threats is crucial for maintaining robust security. Organizations must keep a close watch on these key ransomware groups, as their tactics and operations can significantly impact businesses across various industries. By understanding and anticipating these threats, companies can better prepare and implement effective security measures to protect their data and systems from potential attacks.
Read More: