Ransomware Landscape in H2 2024: Statistics and Key Issues
Author: S2W TALON (HuiSeong Yang, HyeongJun Kim, ByeongYeol An, SeungHo Lee)
Last Modified : Apr 07, 2025
Executive Summary
This report analyzes ransomware group activity that occurred in the second half of 2024 (2024–07–01 ~ 2024–12–31). The analysis targets ransomware groups with ransomware Leak sites and victim companies and organizations uploaded to ransomware Leak sites. In the second half of 2024, the fact that 2,844 companies were infected with ransomware was posted on Leak sites.
- Despite the takedown and seizure of Leak sites by groups such as LockBit, Dispossessor, and VANIR in the second half of 2024, the number of affected companies increased compared to the second half of 2023.
- The total number of affected companies increased by 500 compared to the second half of 2023 (2023–07–01 ~ 2023–12–31).
A total of 85 ransomware groups were active in the second half of 2024, attacking an average of about 33 companies. A total of 42 new ransomware groups appeared in the second half of 2024, and July saw the most new groups, with a total of 11 new groups. Large companies accounted for 3.4% of the companies attacked by ransomware groups in the second half of 2024, and the proportion targeting large companies decreased compared to 4% in the first half of this year. The Top 10 countries affected by ransomware in the second half of 2024 were selected, and the country with the most significant damage was the United States.
- The country with the most significant increase in damage in the first half of 2024 compared to 2023 was the United States, and the country with the most significant decrease in damage was the United Kingdom.
The Top 10 industries affected by ransomware in the second half of 2024 were selected, with the construction industry experiencing the most significant damage. Additionally, all industries saw an increase in damage during this period. Ransomware-related issues that occurred in the second half of 2024 were subdivided into categories: Version Control, Revealed Connection, Affiliate, Attack Techniques, Activities in Telegram and DDW, Duplicated Victims, Leaked & Exposed. As a result of the S2W Threat Intelligence Center(a.k.a TALON)’s evaluation of the risk of ransomware groups, the Top 5 ransomware groups with high risk in the second half of 2024 were selected as Ransomhub, BlackSuit, AKIRA, BlackBasta, and Underground.
1. Overall Activities of Ransomware Groups in H2 2024
1.1 Activities of Ransomware Groups
In the second half of 2024, 2,844 companies were observed to have been victimized by ransomware group attacks. This is a 17.5% increase compared to the 2,344 companies victimized by ransomware attacks in the second half of 2023. According to Figure 1, when divided by month from July to December, ransomware activity frequency was higher in the second half of 2024 than in the second half of 2023 in all sections except July and September, and the average number of victim companies per month also increased by about 83. In particular, October saw an increase of about 66.6% compared to the second half of 2023, which is analyzed to be due to a significant increase in new ransomware groups.
Analyzing ransomware groups operating leak sites, a total of 85 ransomware groups were active in the second half of 2024, attacking an average of about 33 companies in the second half of 2024. The Top 10 most active ransomware groups accounted for 15.5% of all ransomware attacks in the second half of 2024, and detailed figures can be found in Table 1 and Figure 2.
The Top 10 ransomware groups in attack volume carried out an average of 151 attacks on companies in the second half of the year, and the 75 ransomware groups excluding the Top 10 ransomware groups in attack volume carried out an average of about 18 attacks on companies. The difference in attack volume is significant, with the Top 10 ransomware groups in attack volume being about 8.3 times higher than the average attack volume of the groups that did not make the Top 10. One factor that contributed to the surge in the total number of ransomware-affected companies in the second half of 2024 is the increase of 7 new ransomware groups. In particular, the amount of ransomware attacks increased sharply after October 2024 compared to the second half of 2023, which is largely attributed to the emergence of 7 new ransomware groups in October, including the ‘Sarcoma’ group, which ranked third in total attack volume in October alone. More details on new ransomware in the second half of 2024 can be found in section 2.1.1.
1.2 Targeted Victim Country
The Top 10 countries with the most ransomware damage account for 81.1% of all victim countries. The Top 10 victim countries include 5 countries from the European continent, 3 countries from the Americas, 1 country from Oceania, and 1 country from Asia, indicating that countries in Europe and the Americas have a high frequency of ransomware damage. Compared to the ransomware-victim countries in the second half of 2023, the frequency of damage in the Netherlands decreased, and the frequency of damage in India increased, making it the only Asian country in the top 10. All of the top 10 countries are ranked between 1st and 15th or lower in terms of GDP, indicating that many ransomware attacks were carried out targeting countries with high national economic power in the first half of 2024. This shows that there is a strong correlation between a country’s GDP and the number of victim companies, as confirmed in the 2023 H2 Ransomware Trends and Statistics Analysis Report. In particular, the United States accounted for more than half of all ransomware damage in the second half of 2024, at 55.9%, because it is the most economically valuable target country with many companies and governments that are likely to pay the amount demanded by ransomware attackers.
1.3 Targeted Victim Industry
The Top 10 industries with the most damage account for 75.9% of all victim industries, showing an overall similar trend compared to the second half of 2023. However, in the second half of 2024, the Finance industry, which was not previously seen in the Top 10, newly appeared, and the Transportation industry, which was high in the list of victim industries in the first half of 2024, was ranked 12th. In addition, the Business Services industry was ranked 4th in the first half of 2024, whereas it suffered the second most damage in the second half of 2024. The Healthcare industry declined by about 0.8%, from 7th to 10th. The industry with the most damage was the same as in the first half of 2024, which was the manufacturing industry, accounting for 18.1% of all victim companies. Although the percentage decreased by 2.4% compared to the previous quarter, the number of attacks on the Manufacturing industry increased by 31. This suggests that ransomware groups are not focusing their attacks on specific industries but are gradually expanding their scope to various industries. Detailed changes in the ransomware-affected
2. Detailed Analysis of Ransomware Activities
2.1 Statistical Insight
2.1.1. New Ransomware Group
In the second half of 2024, 42 new ransomware groups and ransomware were tracked by S2W, with an average of about 7 groups being newly discovered each month. The ransomware that appeared in the second half of the year was found to be 9 less than the ransomware that newly appeared in the first half of 2024. The month with the most ransomware appearing in the second half of 2024 was July, with a total of 11 groups newly appearing.
In this section, additional analysis was performed by classifying the new ransomware groups that were active in the second half of the year, and for this purpose, groups were subdivided into groups operating Leak sites and groups based on ransomware family standards.
New Ransomware Group operating Leak Site
The S2W Threat Intelligence Center is continuously tracking ransomware groups that operate Leak sites. Compared to the first half of 2024, the number of ransomware groups with newly discovered Leak sites increased in the second half of the year, and the number of groups whose addresses were changed or whose operations were suspended and switched to offline also increased.
Looking at the status of Leak sites operated in the second half of 2024, a total of 26 new Leak sites were discovered. Among them, HellCat, NullBulge, Dispossessor, NullBulge, Funksec, Chort, BASHE, Nitrogen, and CyberVolk were found to be operating new channels along with existing Leak sites, which was identified as occurring during the process of adding new types of channels such as Telegram, Twitter, Clearnet, and Discord. However, after the CEO of Telegram was arrested in September 2024, the terms of service and privacy policy were changed to provide users’ IP addresses and phone numbers to law enforcement agencies if a search warrant or other valid legal request was made. Due to these policy changes, criminal groups such as Bl00dy and CyberVolke showed signs of stopping the use of Telegram.
On the other hand, there were also groups whose Leak site status changed. The addresses of Leak sites were changed for 13 groups, and the operation of Leak sites was suspended for 21 groups.
- Groups with changed Leak site addresses (13): Brain Cipher, Dunghill Leak, Hunters International, Lynx, Kill Security, LockBit, Rancoz, PLAY, BianLian, Helldown, Qilin, Funksec, 8Base
- Groups with suspended Leak site operations (21): La Piovra, HelloGookie, Qiulong, Lynx, Helldown, MedusaLocker, Karakurt, Lorenz, RansomCortex, Red, SenSayQ, Dispossessor, LockBit, Playboy Locker, Valencia, Mad Liberator, MEOW, NoName, Chort, BlueBox, Snatch
Among these, LockBit’s Leak site was seized and its operation was suspended in October due to Operation CRONOS, and Dispossessor and Vanir’s Leak sites were also seized due to pressure from law enforcement agencies.
New Ransomware Group based on Ransomware Family
Ransomware groups sometimes develop and use their ransomware, but they also purchase source code from other ransomware groups or use leaked source code and builders to customize or use existing ransomware as it is. Among the newly emerged ransomware in the second half of the year, 5 ransomware were identified as being created by utilizing other groups’ builders or leaked source code. In particular, it was confirmed that many LockBit families were found in the second half of 2024.
- LockBit Family: LockBit-based ransomware Family refers to ransomware created from the LockBit 3.0/Black builder leaked by a developer in September 2022.
- Conti Family: Refers to ransomware created by quoting the source code of leaked Conti ransomware, and ransomware derived from ransomware (BlackBasta, BlackByte, Royal) created by Conti’s subgroups.
- Babuk Family: Refers to ransomware created by quoting the leaked Babuk source code.
2.1.2. Detailed Statistical Insight of Ransomware Group
2.1.2.1. Targeted Governments in H1 2024
Ransomware attacks on government agencies, which can have a huge impact on essential social infrastructure services and city councils, accounted for about 2.3% of all ransomware attacks in the second half of 2024, with a total of 67 cases. In particular, compared to the first half of 2024, there was an increase of 10 cases, which is analyzed to be an increase in attacks on government agencies, considering that the amount of ransomware damage in the second half of 2024 increased by about 20.5% compared to the previous quarter. Government agencies in 19 countries were damaged in the second half of 2024, and 32 ransomware groups carried out ransomware activities against them. Among these, Ransomhub ransomware carried out the most attacks against governments with 11 cases.
Government agency damage was observed in 8 of the Top 10 countries with damage in the second half of 2024: the United States, Spain, Canada, the United Kingdom, India, France, Brazil, and Germany. In addition, the United States government agencies, which had the highest damage in the first half of 2024, had 41 cases of damage, which is an increase of 15 cases compared to the first half of 2024. In addition, 22 countries that were not included in the Top 10 countries with damage in 2024 were also identified.
2.1.2.2. Targeted Victim Enterprises Size
When classifying the size of companies according to annual revenue into large, medium, and small enterprises, the size of companies damaged by ransomware attacks in the second half of 2024 is shown in Figure 9. The classification criteria are the same as in the second half of 2023, referring to the corporate classification criteria according to revenue defined by Gartner.
Compared to the second half of 2023, the total number of damaged companies in the second half of 2024 increased, but it can be seen that damage to large and medium-sized companies decreased. The number of ransomware attacks on large companies in the second half of 2024 was 90, a decrease of about 51.6% compared to 186 in the second half of 2023. On the other hand, in the case of small businesses, the total was 2,050 in the second half of 2024, an increase of about 38.3% compared to 1,482 in the second half of 2023, and 129 companies whose company size was not disclosed also increased by 53 compared to the second half of 2023. Therefore, in the second half of 2024, small and medium-sized enterprises accounted for 96.6% of the damaged companies with disclosed size, and large companies accounted for 3.4%. This ratio shows that damage to large companies decreased by about 0.6% compared to the first half of 2024. As confirmed in the ransomware trend report for the first half of 2024, this is analyzed as a result of large companies’ continued security investment and efforts to actively respond to various cyberattacks, such as establishing a professional security team.
In addition, according to Coveware, a ransomware analysis company, as large-scale ransomware groups such as BlackCat, which ceased operations due to an Exit Scam in February 2024, and LockBit, whose Leak site was seized due to Operation CRONOS, collapsed, the ransomware ecosystem is focusing on the small and medium-sized market, not on attacks focused on large companies. It is analyzed that this trend is confirmed. Accordingly, ransomware groups are also being reorganized into small-scale organizations, and the requested amounts are also lower than in the past. As law enforcement agencies continue to crack down, this trend is expected to continue in the future.
The results of analyzing the targets of ransomware groups in the second half of 2024 are as follows.
- In the second half of 2024, a total of 34 ransomware groups attacked large companies, and 40% of all ransomware groups attacked them. In particular, all of the top 10 ransomware groups in attack volume were found to have attacked large companies at least once.
- Among the top 10 groups in attack volume, the Ransomhub group had 17 attacks targeting large companies out of a total of 441 attacks, which is the highest number of attacks targeting large companies.
- On the other hand, the Lockbit group, which targeted the largest companies in the first half of 2024, conducted 25 attacks on large companies out of a total of 464 attacks, but as its activity gradually decreased, only 6 out of 101 ransomware attacks in the second half of 2024 targeted large companies. As explained earlier, this is presumed to be largely since Lockbit group’s Leak site was closed and its activity increased for a while, but then it became more passive due to continued intensive monitoring by law enforcement agencies. More details on the Lockbit group can be found in the report below.
However, there is a possibility that the above figures may differ in that large companies with sufficient ransom payment capabilities and a large amount of important information may have paid the ransom before being uploaded to the Leak site.
2.1.2.3. Affiliate Recruitment and Communication Post
The trend of posts and comments on the ‘Partners Program \ RaaS \ 合作伙伴计划’ or ‘Freelance \ 自由职业者’ bulletin boards, where ransomware groups mainly operate in the RAMP forum to recruit attackers such as Pentesters who infiltrate the target’s internal infrastructure and distribute ransomware, or to recruit RaaS members, is shown in Figure 11.
Posts and comments related to recruitment decreased by about 58.2% compared to the first half of 2024. This is judged to be because ransomware recruitment activities are gradually decreasing as large-scale ransomware groups close and cease operations. In particular, in the third quarter of 2024 (July ~ September), when the amount of ransomware attacks was lower than the previous year, activity on the recruitment bulletin board was also low. However, in the fourth quarter of 2024 (October ~ December), when many new ransomware groups appeared, the number of posts and comments increased by 20.6% compared to the third quarter. Based on the fact that the amount of ransomware attacks increased during this period, it is judged that the number of posts and comments in the bulletin board is related to the amount of ransomware attacks, as confirmed in the ransomware trend report for the first half of 2024. Therefore, continuous monitoring of this bulletin board is necessary for predicting overall ransomware attack volume.
2.1.2.4. Mentioned keywords By Sources
The following are the results of investigating the trend of mentioning the two keywords ‘Ransomware’ and ‘Affiliate’ related to ransomware for two sources, Deep & Dark Web forums and Telegram, during the second half of 2024. The analyzed amount of mentions is a figure excluding simple news and feeds, and the actual conversations between ransomware managers and Affiliates are mainly conducted in private chat rooms, so they are not included in this figure. Details on ‘Affiliate’ are explained in 2.2.3.
- The number of mentions of ransomware-related keywords in the second half of 2024 was about 43 times more in Telegram than in Deep & Dark Web forums, as in the first half of 2024. This is partly because the number of messages generated in Telegram is much higher than the number of posts and comments in Deep & Dark Web forums, but it also suggests that most forums have banned ransomware-related activities since the 2021 U.S. Colonial Pipeline attack, and as a result, ransomware group activities and related organizations are gradually expanding to Telegram.
- The number of mentions of the keywords ‘Ransomware’ and ‘Affiliate’ in Telegram rapidly increased in September 2024 and then decreased. This is analyzed as the result of Telegram CEO Pavel Durov being arrested by French law enforcement agencies and the personal information regulations being strengthened, and some ransomware groups leaving Telegram, which led to a decrease in the amount of mentions. On the other hand, in Deep & Dark Web, the number of mentions of the keywords ‘Ransomware’ and ‘Affiliate’ showed a slight increase in the fourth quarter of 2024 (October ~ December).
2.1.2.5 Forecast for 2025 H1
The S2W Intelligence Center analyzed the ransomware damage status from 2022 to the second half of 2024 and predicted the future damage occurrence. To do this, we predicted the attack volume trend for the first half of 2025 through time series analysis, which is an analysis methodology that identifies or predicts specific patterns based on data collected over time, and the ARIMA prediction model. First, to evaluate the performance of the prediction model, we applied it to the ransomware damage status in the second half of 2024.
Looking at the damage status graph above, the actual damage status in the second half of 2024 (green line) and the predicted data (red line) appear to be generally similar. In the case of ransomware attacks, there is high volatility, so there are some sections where the predicted data is somewhat different, but it can be confirmed that all of them are within the prediction error (pink area). As a result of the prediction model analysis, it was found that the ransomware damage status shows large short-term volatility, but when looking at the overall damage status, there is a strong tendency to maintain an average value, and there is a recurring pattern every 12 months, such as a decrease in attack volume between December and January or a sudden increase in attack volume between May and June, that is, seasonality. Also, it showed a trend of gradually decreasing over time. Based on this model, we proceeded with the prediction for the first half of 2025.
Based on our prediction model, when predicting the ransomware damage status in the first half of 2025, it is expected that the damage will continue to decrease compared to the previous year, and it is expected that a maximum of 60 cases of damage will occur per day. This is judged to reflect the passive attack tendency of ransomware groups due to continuous monitoring by law enforcement agencies and strengthened crackdowns on individuals and services involved in ransomware laundering, such as Operation Destabilize. However, considering the emergence of new ransomware groups and other factors that may affect the amount of ransomware attacks, there may be some differences from the actual damage status.
2.1.3. Compared with H2 last year
2.1.3.1. Top 10 Countries with increased target count compared to H2 2023
The country with the largest increase in the number of ransomware damages in the second half of 2024 compared to the second half of 2023 was the United States, and other countries with increased ransomware damage can be found in Table 8. Five of the top 10 countries with increased damage are located in the Americas, which is confirmed as the continent with the largest increase in ransomware damage.
- Compared to the countries with increased damage in the first half of 2024, the number of countries in the European continent decreased from 5 to 2, while the number of countries in the Asian region increased from 2 to 3. In particular, Indonesia recorded 14 cases of ransomware attack damage, a two-fold increase compared to the previous year, showing the largest increase. This is analyzed to be because the country’s rapid digital transformation and relatively vulnerable cybersecurity environment have become a major target for hackers. Also, in the Middle East, due to ongoing conflicts and wars, ransomware attacks on Israel have continued to increase, as in the first half of 2024, which is an example that confirms that geopolitical conflicts are directly related to the increase in cyber threats.
- In the second half of 2024, ransomware damage to South American countries such as Brazil and Peru increased significantly, ranking 3rd and 5th respectively. This is analyzed as the reason why the rapid increase in digitalization since the pandemic has not been followed by cybersecurity capabilities. According to World Bank Blogs, the number of cybersecurity incidents in South America has increased by an average of 25% annually over the past 10 years from 2014 to 2024, which is introduced as the fastest-growing region in the world.
2.1.3.2. Top 10 Countries with reduced target count compared to H2 2023
The country with the largest decrease in the number of ransomware damages in the second half of 2024 compared to the second half of 2023 was the United Kingdom, and other countries with decreased ransomware damage can be found in Table 9. Among the Top 10 countries with reduced damage, seven are located in the European continent, and three are located in the Asian continent.
- The fact that the United Kingdom, Germany, Italy, and France, which were included in the Top 10 countries with ransomware damage in the second half of 2024, are also among the Top 10 countries with decreased damage compared to the previous year, is analyzed to be closely related to the fact that these countries have continuously expanded their investment in cybersecurity and law enforcement agencies have strengthened their monitoring and crackdown on ransomware attacks, especially reducing attacks targeting large corporations. This trend can be seen as a result of large companies building stronger security infrastructure and conducting regular security checkups, as well as law enforcement agencies strengthening their legal response and international cooperation.
2.1.3.3. Top 10 Industries with increased target count compared to H2 2023
Table 10 shows the industries with increased ransomware damage in the second half of 2024 compared to the second half of 2023. Ransomware attacks significantly increased in major industries such as Construction, Manufacturing, and Business Services. In particular, the Construction industry had the largest increase in damage with 114 cases, and the Manufacturing industry, which had the largest increase in damage in the first half of 2024, increased by 111 cases.
- According to ReliaQuest, the reason for the approximately 41% increase in ransomware damage in the Construction industry compared to the previous year is due to insufficient cybersecurity investment compared to the vast amount of data. In addition, the urgent need to maintain operational continuity, inadequate government regulations, and the security vulnerabilities of third-party and contractor networks make it a particularly vulnerable target for ransomware attacks. Therefore, the need for organizations to urgently adopt a more stringent cybersecurity strategy is emphasized. In particular, as they become more dependent on systems through the introduction of AI and digital technologies, the possibility of being more exposed to vulnerabilities is analyzed to be high.
- Compared to the first half of 2024, it is noteworthy that the Healthcare industry is among the Top 10 industries with increased damage. Ransomware groups have not significantly attacked the Healthcare industry, which is directly related to human life and can be a serious threat to international security, but it increased by about 50.7% compared to the previous year, and the World Health Organization (WHO) is strongly condemning ransomware attacks on the Healthcare industry.
2.1.3.4. Top 10 Industries with reduced target count compared to H2 2023
There were no industries with reduced ransomware damage in the second half of 2024 compared to the second half of 2023. The amount of ransomware attacks increased for all industries compared to the previous year, which is analyzed to be due to the collapse of large-scale ransomware groups and the concentration of law enforcement agencies surveillance, which greatly reduced attacks on large corporations and highly profitable industries. As analyzed in section 1.3, this suggests that ransomware groups are not focusing their attacks on specific industries but are gradually expanding their scope to various industries.
2.2 Key Issue
2.2.1. Version Control
RaaS (Ransomware-as-a-Service) groups continue to update their ransomware consistently to evade detection and maintain brand reputation while expanding the scope of targeted operating systems. Significant changes observed in the second half of 2024 are outlined below.
AKIRA
In December 2024, Unit42 identified AKIRA continuously updating its attack tools, including a Rust-based version and the AKIRA_v2 variant targeting ESXi environments. According to Unit42, some AKIRA_v2 samples are designed to execute ESXCLI commands.
Cisco Talos indicated that AKIRA might revert to previous versions written in C++ targeting Windows and Linux environments for enhanced operational stability and reliability.
LockBit
In November 2024, the Fox William Mulder Telegram channel announced server and domain updates ahead of the LockBit 4.0 release for security reasons.
In December 2024, LockBit’s leak site announced the official launch of LockBit 4.0.
Beast
In November 2024, MalwareHunterTeam identified a new variant of Beast ransomware active since 2022. This variant specifically targets Linux-based environments.
Mallox
In September 2024, SentinelOne discovered a Mallox affiliate server, noting that Mallox ransomware targeting Linux environments is based on a modified version of the open-source RaaS platform Kryptina.
PLAY
In July 2024, Trend Micro discovered a new Linux variant of PLAY ransomware targeting ESXi environments, characterized by executing shell script commands to scan and shut down all virtual machines.
Hunters International
In July 2024, Hunters International officially announced the release of their new encryption and decryption software (v5.0.0). According to their announcement, this version includes fixes for previously identified bugs and offers improved encryption and decryption speeds.
Ransomhub
According to Lab52 and Unit42, a Go-based variant of Ransomhub was identified in July 2024. While this variant continues to employ the same “gobfuscate” obfuscation technique as the previous version, a new variant emerged with additional capabilities, including VM shutdown evasion and rapid encryption.
Qilin
In November 2024, Halcyon identified an updated ransomware version, Qilin.B, introducing AES-256-CTR encryption support when AESNI (Advanced Encryption Standard New Instructions) is available on victim systems, enhancing encryption performance.
BlackByte
In August 2024, Talos found a new BlackByte variant using a new file extension (blackbytent_h), exploiting ESXi’s authentication bypass vulnerability (CVE-2024–37085), and noted an increase in exploited vulnerable drivers by BYOVD(Bring Your Own Vulnerable Driver) from three to four.
HardBit
In July 2024, Cybereason identified HardBit 4.0 as different from previous versions in that it is dropped into the %TEMP% directory by Neshta and executed through ShellExecuteA() API. It requires attackers to provide a decoded authorization ID stored encoded in “id_authorization.txt” and decoded using a private key in “Private.txt.” The authorization file uniquely resides alongside the HardBit binary.
BlackSuit
In July 2024, Deep Instinct reported a new BlackSuit ransomware. This new ransomware notably manipulates metadata (excluding signatures) to masquerade as Qihoo 360 antivirus software.
2.2.2. Revealed connections between groups
Ransomware groups continuously attempt changes not only by updating binaries but also through collaborations and rebranding to manage affiliates and maintain their reputation. The following details summarize confirmed collaborations and rebranding between ransomware groups in the second half of 2024.
2.2.2.1. Relation between CyberCrime Group
BlackCat — Lunar Spider (High Confidence)
In October 2024, EclecticIQ discovered a campaign deploying obfuscated JavaScript downloaders distributing malicious payloads related to Brute Ratel C4. The campaign was highly associated with Lunar Spider, confirmed by shared hosting infrastructure — Lunar Spider’s Latrodectus malware C&C server domain and BlackCat’s domain were hosted on the same IP address, suggesting a connection between the two groups.
Cicada3301 — BlackCat (High Confidence)
According to TRUESEC, Cicada3301 ransomware, which was first observed in May 2024, shares several similarities with the BlackCat group that ceased activity in March 2024.
Both ransomware are written in Rust and use the ChaCha20 encryption algorithm. Additionally, Both employ a “ui” command parameter to visually display the encryption progress. They also use nearly identical commands to shut down virtual machines and remove snapshots. Furthermore, Ransom note file naming conventions are nearly identical. Cicada3301 uses the format “RECOVER-encrypted_file_extension-DATA.txt”, and BlackCat uses the format “RECOVER-encrypted_file_extension-FILES.txt”
Lynx — INC (High Confidence)
Lynx ransomware, identified in July 2024, shares significant code block similarities with INC ransomware that emerged around August 2023.
According to Unit42, BinDiff analysis indicates approximately 48% code similarity and 70% similarity considering common functions. Also, Lynx and INC ransomware groups have similar Leak site interfaces, and a user named rivitna2 indicated that Lynx purchased INC ransomware’s source code.
PLAY — Prolific Puma (High Confidence)
According to Trend Micro, infrastructure similarities between PLAY and Prolific Puma emerged concurrently.
Specifically, URLs hosting PLAY ransomware payloads matched Prolific Puma’s infrastructure. Additionally, The IP addresses linked to the Coroxy backdoor used by PLAY matched domains registered by Prolific Puma. Furthermore, IP addresses associated with PLAY ransomware share the same ASN (Autonomous System Number) as Prolific Puma, indicating a common network provider.
Dispossessor — RADAR, LockBit (High Confidence)
Dispossessor emerged in February 2024, collaborating with the RADAR ransomware group to target SMEs across the manufacturing, development, education, healthcare, finance, and transportation sectors.
According to DataBreaches, RADAR, and Dispossessor operate as a unified team of red teamers, OSINT experts, and others, sharing methodologies, tools, and profits.
RedHotCyber reported similarities between RADAR/Dispossessor and LockBit’s leak sites. Interviews revealed that these groups previously operated as affiliates and partners of LockBit and drew inspiration from LockBit’s leak site. However, Dispossessor’s leak site was seized by law enforcement in August 2024.
Key Group — huis (Low Confidence)
Securelist reported that initial samples of Key Group ransomware used the “.huis_bn” file extension, suggesting a connection to the huis group active on Telegram. It is suspected that Key Group is a subproject of huis. Also, Analysis of GitHub repositories hosting ransomware and wipers revealed connections to a Telegram user known as Bloody-Lord Destroyer-Crew, allegedly the owner of the huis group.
CyberVolk — Doubleface Team (Low Confidence)
CyberVolk ransomware, first detected in July 2024, introduced its own RaaS and is known to have pro-Russian affiliations.
SentinelOne reported that CyberVolk publicly promotes Doubleface Team (Double Alliance), establishing a clear link. Both groups’ ransomware payloads function similarly.
Helldown — Donex (Low Confidence)
Helldown ransomware, first observed with a Leak site in August 2024, uses double-extortion tactics.
According to Sekoia, Helldown and Donex share significant similarities in their configuration files and onionmail usage, suggesting a potential connection.
InterLock — Rhysida (High Confidence)
InterLock ransomware, first discovered in October 2024, shares TTPs and encryption binaries with Rhysida ransomware, suggesting possible connections.
According to Talos, InterLock ransomware’s hardcoded file and folder exclusion lists closely match those used by Rhysida ransomware. Additionally, encryption tools(conhost.exe) and other utilities (AnyDesk, PuTTY) found in InterLock ransomware were previously observed in Rhysida ransomware. Furthermore, InterLock and Rhysida ransom notes similarly portray themselves as partners aiding victim organizations rather than direct threats.
CosmicBeetle — Ransomhub (Low Confidence)
According to ESET, CosmicBeetle attempted and failed to attack an Indian manufacturing firm in June 2024. Subsequently, Ransomhub’s EDRKiller was manually executed, differing significantly from Ransomhub’s usual execution methods, indicating CosmicBeetle possibly joined Ransomhub as a new affiliate.
Orca — Lynx (Low Confidence)
Orca ransomware, whose leak site appeared in September 2024, shows notable UI similarities to the Lynx ransomware leak site, which appeared in July 2024. Fonts, company introduction sections, and content are nearly identical, indicating the reuse of web templates or underlying code by the respective operators.
PLAY — LockBit (Low Confidence)
According to DailyDarkWeb, the Telegram conversations between the two groups included content related to “Play ransomware paying $35,000 for the LockBit tool.” However, considering that the conversations are not from the official Telegram channel of PLAY ransomware and that the conversations are in English, not Russian, despite being sensitive topics, the likelihood of a connection between the two groups is very low.
2.2.2.2. Rebrand
Metatron — Mad Liberator (Low Confidence)
Metatron ransomware was first observed in September 2024 when MalwareHunterTeam revealed its leak site. Notably, The leak site domain used by Metatron is identical to the previously known Mad Liberator leak site, suggesting a potential link between the two ransomware variants.
APT73 — BASHE (Low Confidence)
APT73 ransomware was first identified in April 2024, with the leak site initially revealed by user Rakesh Krishnan.
In October 2024, according to Rakesh Krishnan on X (Twitter), a new leak site associated with BASHE ransomware was identified. The new BASHE leak site closely resembles the APT73 leak site, except for the name, leading to speculation that APT73 rebranded itself as BASHE.
Pryx — HellCat (High Confidence)
Pryx ransomware was first identified in July 2024 when its leak site was revealed by Dark Web Informer. It is known to have been created by a user named Pryx, active on Breachforums and XSS.
In October 2024, Pryx announced via their X (Twitter) account that the ransomware group had rebranded from Pryxed to HellCat, confirming the rebranding from Pryxed to HellCat.
2.2.3. Affiliate
Affiliate refers to individuals or groups collaborating with RaaS operators to perform actions such as initial intrusion, lateral movement, data exfiltration, and ransomware distribution. In this report, the term affiliate broadly includes all users or groups assisting with initial access and is further categorized into two segments: Initial Access Broker, Users or groups selling access information for individuals or specific enterprises within the Deep & Dark Web, and Pentester, Users or groups responsible for initial penetration processes intended to distribute ransomware payloads.
2.2.3.1. Initial Access Broker
PLAY: Andariel
According to Unit42, the North Korean-backed APT group Andariel conducted initial intrusions using compromised accounts in May 2024, spreading Sliver (open-source tool) and DTrack malware to other hosts via SMB (Server Message Block). These activities ultimately led to the deployment of PLAY ransomware.
2.2.3.2. Pentester
Embargo: Storm-0501
Storm-0501 is a pentester that utilizes various open-source tools to deploy ransomware.
In September 2024, Microsoft identified campaigns by Storm-0501 exploiting weak credentials and accounts with excessive privileges during cloud transitions, ultimately leading to the deployment of Embargo ransomware. Storm-0501 leveraged weak credentials in Microsoft Entra ID to perform lateral movement from on-premises environments to cloud environments, eventually deploying Embargo ransomware through a backdoor.
RA Group: Bronze Starlight
RA Group, first observed as a RaaS group in April 2023, rebranded as RA World in January 2024, with potential links to the DEV-0410 group known as Bronze Starlight.
According to Unit42, both RA Group and DEV-0410 utilize the same open-source tool (NPS), and the execution paths for this tool are similar. Additionally, the ransomware payloads for both groups are reportedly based on leaked Babuk source code.
INC: Vanilla Tempest
Vanilla Tempest has operated as an affiliate since July 2022, targeting sectors including education, healthcare, and manufacturing, utilizing ransomware variants such as RedAlert, BlackCat, HelloKitty, and Zeppelin.
According to Microsoft Threat Intelligence, Vanilla Tempest uses Storm-0494’s Gootloader malware for initial access, then moves laterally using the RDP protocol to deploy the INC ransomware payload, indicating a connection between the two groups.
BlackBasta: UNC4393
According to Mandiant, UNC4393 is a financially motivated threat cluster primarily deploying BlackBasta ransomware, active since early 2022.
UNC4393 initially gains access through phishing emails distributing QAKBOT botnet malware and utilizes other malware variants like DarkGate and SilentNight to deploy BlackBasta ransomware.
Unlike typical RaaS operations, BlackBasta does not publicly market itself nor actively recruit affiliates. Considering this operational approach, UNC4393 is suspected to be a private affiliate of BlackBasta.
2.2.4. Attack Techniques
Attackers continuously evolve their tactics, techniques, and procedures (TTPs), including malware, tools, and vulnerabilities, to evade detection. RaaS operators and affiliates similarly advance their ransomware distribution methods to obtain financial gains. The following sections detail significant ransomware distribution campaigns observed in the second half of 2024.
The following is a list of malware and custom tools identified by ransomware groups and affiliates during the second half of 2024.
Moreover, among open-source and cracked tools used by ransomware groups, PsExec was the most frequently employed, followed by Mimikatz and ADFind.
During the second half of the year, 17 ransomware groups utilized 22distinct vulnerabilities in their attacks. Of these, 10 were exploited using publicly disclosed vulnerabilities (1-day), while 7 was exploited using an undisclosed vulnerability (0-day). The following is a list of vulnerabilities ransomware groups used in their attacks during the year’s second half.
2.2.5. Activities in DDW & Telegram
Ransomware groups actively engage in various Deep & Dark Web (DDW) forums and Telegram channels to recruit affiliates, promote RaaS offerings, and purchase initial access from Initial Access Brokers (IABs). The following ransomware-related postings were observed in DDW forums and Telegram during the second half of 2024.
2.2.6. Duplicated Victims
This report conducted additional analysis to distinguish ransomware groups that uploaded duplicated victims. In the second half of 2024, a total of 58 duplicated victim companies were identified across 38 ransomware groups. Groups frequently upload the same victims, likely due to common Initial Access Brokers (IABs) collaborating with multiple ransomware groups. LockBit and Ransomhub were identified as groups most frequently uploading victims first, while MEOW uploaded victims multiple times subsequently.
- Each group maintains a 1:1 relationship, where the group initially uploading duplicated victims is shown on the left, and the group uploading later is shown on the right.
2.2.7. Leaked & Exposed
Ransomware groups operating RaaS platforms prioritize their reputation to maintain ongoing relationships with affiliates and customers. However, groups frequently experience leaks or exposures that damage their reputation, including cryptographic vulnerabilities leading to leaked decryptors, exposed infrastructure, or internal data breaches. The following are cases of leaks and exposures observed in the second half of 2024:
MEOW (Exposed — Infra)
MEOW, first identified in November 2023, had its leak site’s favicon identical to Embargo’s site, suggesting a potential relationship
In July 2024, the Leak site began to be officially promoted through the XSS forum, and in the same month, RAKESH KRISHNAN, a user on X (formerly Twitter), revealed 5 Real IPs of the MEOW Leak site: 185.159.128[.]93, 185.228.235[.]168, 188.130.154[.]25, 45.156.27[.]90, 62.122.184[.]83
Termite (Exposed — Infra)
Termite ransomware, first identified in November 2024, exploited vulnerability CVE-2024–50623 in Cleo file transfer products (LexiCom, VLTransfer, Harmony) in December.
Dark Web Informer reported the exposure of Termite group’s infrastructure IP: 193.43.104[.]153
Fog (Exposed — Infra)
Fog is a ransomware group first identified in June 2024, known to perform initial infiltration via leaked VPN credentials.
In August 2024, X’s RAKESH KRISHNAN user confirmed and disclosed the Real IP of Fog’s infrastructure. (5.230.33[.]178, 5.230.46[.]107)
LockBit (Exposed — Infra)
LockBit is a RaaS group active since 2020 and continues operations despite previous interruptions due to Operation CRONOS.
In September 2024, RAKESH KRISHNAN revealed LockBit’s infrastructure IP addresses: (5.188.88[.]239, 193.37.69[.]163). These IPs were previously used to host malware such as StealC, Mallox ransomware, AsyncRAT, and Mirai.
Qilin (Exposed — Infra)
Qilin ransomware was initially observed in October 2022. In August 2024, it temporarily ceased operations on Telegram and its leak site but resumed later, using a new leak site.
In 2024, a new version of Qilin ransomware, Qilin.B, was also identified and started using a new leak site.
In September 2024, according to the RakeshKrish blog, an FTP server belonging to the Qilin group was identified: (ftp://dataShare:nX4aJxu3rYUMiLjCMtuJYTKS@85.209.11[.]49, Host Machine: WIN-LIVFRVQFMKO). This host machine was previously associated with LockBit, BlackCat attacks, and “Bentley,” a former technical lead and system administrator of the Conti ransomware group.
Mallox (Exposed — Infra)
Mallox ransomware, also known as TargetCompany, had its web panel source code leaked in July 2024. The leaked source code contained logic to create encryptors/decryptors for affiliates.
A hardcoded IP (185.73.125[.]6) was discovered containing directories based on BuildID, including encryptors and decryptors.
SentinelLabs identified Kryptina source code, Mallox Dropper, and exploit code for CVE-2024–21338 (Windows 10/11 Privilege Escalation).
Medusa (Exposed — Infra)
On July 27, 2024, Dark Atlas Squad disclosed operational security issues of Medusa ransomware, revealing put.io cloud storage access tokens used for data exfiltration.
Subsequently, BurpSuite was used to replace token values and gain account access, enabling the deletion of sensitive data related to victims.
Cicada3301 (Exposed — Infra)
Cicada3301, identified in June 2024, rapidly attacked around 30 organizations, primarily targeting the US and UK
In October 2024, Group-IB analyzed Cicada3301’s affiliate panel, revealing its key functionalities:
- Dashboard: Affiliate login details, fingerprints, and attack statistics
- News: Updates about Cicada3301 ransomware
- Companies: Adding victims and ransomware build creation
- Chat Companies: Negotiation page for victim communication
- Chat Support: Interface for support communication with Cicada3301 operators
- Account: Affiliate account management and password reset
ShrinkLocker (Leaked — Ransomware Decryptor)
ShrinkLocker ransomware, identified in May 2024 by Securelist, is presumed to have initiated an attack targeting a medical company in the Middle East through a contractor’s compromised system.
Approximately 70% of the ransomware’s encryption script consists of legacy code intended for older operating systems, suggesting the original code was developed for another purpose and later modified by attackers for malicious use.
In November 2024, BitDefender released a decryptor for ShrinkLocker ransomware.
Donex (Leaked — Ransomware Decryptor)
Donex is a rebranded group of DarkRace, active since March 2024.
It utilizes the ChaCha20 algorithm for file encryption and RSA-4096 algorithm for key encryption, fully encrypting files under 1MB, and partially encrypting larger files intermittently.
In July 2024, Avast released a decryptor for Donex ransomware, allowing decryption by inputting a normal and encrypted file.
Gijs Rijnders mentioned a vulnerability in Donex ransomware, noting that the Nonce value was set to 0 and the same key was used across files, enabling decryption.
DragonForce (Leaked — Internal data)
In October 2024, user @anotherxss on the XSS forum uploaded a post titled “DragonForce RW OSINT.”
The user referenced Group-IB’s DragonForce report and offered for sale internal information stolen from DragonForce’s servers, including source code and affiliate data.
3. Top 5 ransomware groups based on risk assessment
The S2W Threat Intelligence Center developed an internal risk assessment metric to evaluate ransomware groups based on Activity, Influence, Brand Continuity, Extensibility, and Vulnerability. This assessment focused exclusively on ransomware groups with active leak sites.
Using this metric, ransomware groups active during the second half of 2024 were evaluated. The top five ransomware groups identified as the highest risk after applying the penalty indicators were Ransomhub, BlackSuit, AKIRA, BlackBasta, and Underground. Before applying penalty indicators, LockBit, BianLian, and Qilin ranked higher, but their scores declined due to law enforcement operations like Operation CRONOS and the exposure of their infrastructure IP addresses.
Ransomhub
Ransomhub emerged in February 2024 but rapidly became the most active ransomware group in the second half of the year, claiming 442 victim companies, significantly boosting its Activity indicator. Consequently, Ransomhub retained the highest risk ranking both before and after applying penalty indicators. Compared to the first half of 2024, its metrics notably increased, reflecting intensified activity.
BlackSuit
BlackSuit ranked 7th before applying penalty indicators and moved up to 2nd afterward. Originating as a rebrand of the Royal group, it maintains a high Brand Continuity indicator, demonstrating sustained activity for over a year with ransomware versions targeting both Windows and Linux systems. However, due to the lack of recorded vulnerability exploits in the second half of 2024, its Vulnerability indicator was comparatively low.
AKIRA
AKIRA entered the Top 5 rankings in the second half of 2024. Initially ranked 2nd before penalty adjustments, AKIRA dropped to 3rd due to Avast releasing a decryptor for its ransomware. Despite minimal promotional activity on dark web forums, AKIRA’s Activity indicator rose significantly due to 144 reported victims, and its use of vulnerabilities such as CVE-2024–40711 and CVE-2024–37085 significantly increased its Vulnerability indicator.
BlackBasta
BlackBasta, initially ranked 10th before penalty adjustments, climbed to 4th afterward as it incurred no penalties. However, its overall activity sharply declined compared to the first half of 2024, dropping its ranking from 1st to 4th. Despite the decreased activity, BlackBasta actively pursued vulnerabilities, openly indicating interest in purchasing 0-day exploits and exploiting CVE-2024–37085. Its high Brand Continuity indicator results from consistent updates like BlackBasta 2.0. However, due to internal chat leaks similar to the Conti ransomware case in February 2025, BlackBasta’s risk level is expected to significantly decrease in the first half of 2025.
Underground
Underground newly appeared in the Top 5 during the second half of 2024, rising from 11th place before penalty adjustments to 5th afterward. Despite limited activity overall, ESET’s disclosure that its affiliate RomCom exploited Mozilla’s 0-day vulnerability (CVE-2024–9680) and a Windows privilege escalation vulnerability (CVE-2024–49039) greatly elevated its Vulnerability indicator.
Conclusion
- In the second half of 2024, ransomware activity increased by approximately 500 incidents compared to the same period last year, driven by several key factors:
- Enhanced monitoring by law enforcement agencies has led to a decrease in ransomware incidents targeting large enterprises, but attacks on small enterprises rose by approximately 38.3% compared to the second half of 2023.
- A report by blockchain analysis firm Chainalysis indicated a 35% decrease in total ransomware payments year-over-year, reflecting that victims increasingly refuse to pay ransoms, coupled with the trend of lower ransom demands due to more frequent attacks on smaller businesses.
- Compared to the second half of 2023, all sectors experienced increased attacks, indicating a broad and indiscriminate targeting across various industries. - Two South American countries saw significant increases in ransomware attacks during the second half of 2024.
- South American countries have rapidly accelerated digitalization post-pandemic but lag significantly in cybersecurity capabilities, making them attractive targets for ransomware groups.
- The United Kingdom experienced the most significant decrease in ransomware incidents, with four out of the top 10 most-affected countries also appearing in the top 10 countries showing the greatest decline in incidents. - Mentions of the keywords ‘Ransomware’ and ‘Affiliate’ on Telegram sharply decreased after September 2024.
- This decrease is attributed to Telegram CEO Pavel Durov’s arrest by French law enforcement and subsequent tightening of privacy regulations.
- Conversely, keyword mentions slightly increased within Deep & Dark Web forums during the same period. - Ransomware groups continued to undergo rebranding efforts to evade law enforcement and facilitate marketing. Notable examples from the second half of 2024 include the rebranding of Mad Liberato to Metatron and potential rebrandings involving BASHE-APT73 and HellCat-Pryxed.
- Analysis of major ransomware campaigns in the second half of 2024 revealed that ransomware groups and affiliates actively exploited 0-day vulnerabilities, notably Clop, which exploited vulnerabilities in Cleo products, affecting over 60 companies in December alone.
- Using S2W’s internal risk assessment metrics, the top five ransomware groups identified as the highest risk in the first half of 2024 were Ransomhub, Qilin, BlackSuit, Cicada3301, and AKIRA.
- Ransomhub, having emerged in early 2024, consistently ranked among the top five and reached the highest risk score in the second half, marking it as the most influential ransomware group of the year.
- Cicada3301 and AKIRA newly entered the top five rankings in the second half of 2024, highlighting the necessity for close monitoring of these groups’ future activities.
