Top 10 most active ransomware groups in 2024

Last year was expected to be a watershed moment for the ransomware ecosystem, with the removal of ALPHV/BlackCat in late 2023 and the disruption of the LockBit syndicate in early 2024.

While these law enforcement takedowns had a negative impact on ransomware activity for a while, the ransomware-as-a-service (RaaS) landscape has shown resilience.

Shortly after some of the biggest law enforcement busts, the activity of other established ransomware brands like Play and Akira seemed to pick up, likely due to affiliates moving out of exposed groups over time. what new groups appeared.

Ransomware activity peaked in November, with Corvus Insurance analysts claiming the month the highest number of victims claimed by ransomware in history. Other sources, such as the ransomware tracking site Ransomware.live, believe that no monthly ransomware claims in 2024 exceeded the 907 claimed in July 2023.

The best ransomware gangs of 2024

Infosecurity selected the 10 most active ransomware groups of the past year, collecting data from several sources, including Ransomware.live, RansomLook, Corvus Insurance and Recorded Future, among others.

RansomHub: Move fast and crack stuff

Other names: N/A
Released in: February 2024
Claimed victims in 2024: 593
Total claimed victims: 593

On February 2, 2024, a user named “koley” announced a new ransomware affiliate program under the name RansomHub on the Russian-language hacking forum RAMP. The split of each steal would be 90% of the value for the affiliate and 10% for the developer.

According to “koley”, the RansomHub ransomware is designed to be versatile to compromise a wide range of platforms, including Windows, Linux and ESXi, as well as architectures such as ARM and MIPS.

In June, it was reported that the operators of the Scattered Spider group, responsible for a number of high-profile ransomware incidents affecting large organizations over the past year, including MGM International, Caesars Entertainment and Okta, left ALPHV/BlackCat disturbed join RansomHub.

Affiliates of RansomHub has passed LockBit as the most prolific RaaS brand in October and largely contributed to an increase in ransomware claims in November, with 98 claims in the same month alone, according to Corvus Insurance.

Play: Going Hard on Exploits

Other names: PlayCrypt
Released in: June 2022
Claimed victims in 2024: 362
Total claimed victims: 716

Play Ransomware emerged in 2022 with attacks targeting entities in Latin America, but the group has since targeted organizations in a wide range of countries.

The group’s preferred mechanism for initially compromising its targets is through exploits, focusing on exploiting supply chain vulnerabilities in common or security software used by many organizations, such as Fortinet, Citrix and VMWare’s ESXi.

A July 2024 report by Trend Micro revealed a link between Play and Prolific Puma, a group known for generating domains using random algorithms and offering link shortening services to cybercriminals to avoid detection.

Akira: The True Heirs Conti

Other names: N/A
Released in: March 2023
Claimed victims in 2024: 291
Total claimed victims: 454

In February 2023, the Conti ransomware group disbanded following internal conflicts between pro-Russian and Ukrainian members. Quickly, several affiliates migrated to other groups such as Royal, BlackBasta and others.

Akira is one of those groups, and probably one that has more ties to Conti’s infrastructure than any other group. According to cybersecurity provider Qualys, Akira has code overlaps with Conti and operators who commingled funds with wallet addresses affiliated with Conti. After LockBit’s downfall, threat intelligence firm RedSense identified Zeon as a former Conti affiliate group that outsourced its skills to LockBit and Akira.

Akira affiliates also work with other ransomware operations such as Snatch and BlackByte. In November 2024, Akira ramped up its operations, with 73 victims claimed in that month alone, according to data from Corvus Insurance.

Hunters International: Building on the Death of the Hive

Other names: Hunters
Released: Late 2023
Claimed victims in 2024: 227
Total claimed victims: 252

In mid-October 2023, a few days before the Hive ransomware group was taken down, the source code of the group’s infrastructure was sold, along with its website and older versions of the source code.

Hunters International claimed to have bought the package and patched the vulnerabilities that were responsible for preventing file decryption in some cases. The group also said it would prioritize data theft over file encryption.

Medusa: All PR is good PR

Other names: N/A
Released: End of 2022
Claimed victims in 2024: 212
Total claimed victims: 357

While Medusa can be seen as another RaaS group using traditional data extortion tactics, its online presence stands out.

Medusa’s online presence is an unusual mix of dark and clear web activities. In particular, the Medusa operators run a clear web identity, “OSINT without Borders”, along with profiles related to “Robert” under various surnames, on a dedicated website and on social media platforms such as X and Facebook.

Although Medusa tries to present these entities as separate, numerous connections suggest otherwise.

Cybersecurity firm Bitdefender explained: “Medusa’s official data leak site links to a Telegram channel that shares the same logo as ‘OSINT Without Borders,’ and the site’s owner frequently refers to Medusa in ways that imply a close affiliation.”

Qilin: Password hungry

Other names: Agenda
Appeared in: July 2022
Claimed victims in 2024: 179
Total claimed victims: 230

Qilin has been active since at least July 2022 and is also known as Agenda.

In August 2024, the Sophos X-Ops team observed that the group was mass stealing credentials stored in Google Chrome browsers on a subset of network endpoints – a credential harvesting technique with potential implications far beyond the initial victim’s organization.

This is an unusual tactic and one that could be a bonus multiplier for the chaos already inherent in ransomware situations, Sophos said.

BlackBasta: Another Conti Descendent

Other names: N/A
Released in: April 2022
Claimed victims in 2024: 176
Total claimed victims: 507

BlackBasta’s core members are believed to be from the now-defunct Conti threat group, given the similarities between their malware development techniques, leak sites and methods of negotiation, payment and data recovery.

In addition, BlackBasta was associated with the FIN7 threat group due to the similarity of their custom detection and response (EDR) evasion modules and the shared use of IP addresses for command and control (C2) operations.

BlackBasta was the second most active ransomware group after LockBit in the first quarter of 2024according to ReliaQuest data.

BianLian: Extortion without encryption

Other names: N/A
Released in: December 2021
Claimed victims in 2024: 166
Total claimed victims: 518

Active since late 2021, BianLian mainly targets healthcare and manufacturing entities in Europe and North America.

In a notable change, BianLian recently switched from a dual extortion scheme to one of extortion without encryption.

Instead of encrypting victims’ assets before stealing the data and threatening to publish it if they don’t pay the ransom, the group now goes straight to data theft to motivate victims to pay.

Redemption INC: No limits

Other names: INC, Inc. Ransom, Lynx
Released in: July 2023
Claimed victims in 2024: 162
Total claimed victims: 208

INC Ransom positions itself as providing a service to its victims, claiming that it makes the victim’s environment “safer” as a result of its attacks.

However, the group appears to have no limits on the entities it targets, with some of its most recently claimed victims including a children’s hospital near Liverpoolin Great Britain.

Notably, the user interface of INC’s data leak site looks similar to LockBit’s.

Palo Alto Networks researchers believe that Lynx, a new ransomware group that emerged in October 2024, is a rebrand of INC Ransom.

BlackSuit: A Royal Rebrand

Other names: Royal
Appeared in: April/May 2023
Claimed victims in 2024: 156
Total claimed victims: 175

First detected in early 2023, BlackSuit it is believed to be a rebrand of Royal Ransomware, one of the most active ransomware groups in 2022.

The US Cyber Security and Infrastructure Security Agency (CISA) reported that one of the Royal/BlackSuitHis signature tactic was to use legitimate software and open-source tools during ransomware operations.

Bonus – LockBit 3.0: The One That Got Away

Other names: LockBit Black (for this version)
Released in: March 2022 (for this version)
Claimed victims in 2024: 534
Total claimed victims: 1973

Despite being heavily disrupted in February 2024 following Operation Cronosa global law enforcement operation led by the UK’s National Crime Agency (NCA) and the FBI, LockBit remained the most active ransomware group as of May 2024according to NCC Group.

The reason for this may come from a quick response from LockBit administrators. However, it is most likely because LockBit 3.0 was leaked in the fall of 2022 by the group’s disgruntled developer. This has led many cybercriminals to have no formal relationship with LockBit use LockBit 3.0 to compromise their victims.

Conclusion

As we close the chapter on 2024, it’s clear that the ransomware landscape remains as dynamic and unpredictable as ever. The decline of once-dominant groups such as ALPHV/BlackCat and LockBit has not diminished the overall threat, as new and existing players continue to adapt and evolve. The resilience of the ransomware-as-a-service model ensures that even significant law enforcement actions provide only temporary relief.

Looking ahead to 2025, the cybersecurity community must remain vigilant. The emergence of new groups like RansomHub and shifting alliances within the ransomware ecosystem suggest that the fight against these cyber threats is far from over. Continued innovation in defense strategies and international cooperation will be crucial in mitigating the impact of ransomware in the coming year.