Last Year in Ransomware: Major Developments, Targeted Industries, Linux Variants

In the first installment of the Last Year in Ransomware series, we examined key developments across industries and the evolution of attack methodologies. Building on our previous analysis on trends and statistics, this installment explores sector-specific impacts, emerging Linux-based threats, and coordinated response efforts.

Throughout the past year, threat actors have intensified their focus on critical infrastructure, particularly affecting healthcare, manufacturing, and construction sectors. In response, government agencies and private organizations implemented strategic countermeasures, successfully neutralizing major threats including LockBit and BlackCat/ALPHV.  

Despite these victories, a new player called RansomHub quickly stepped in, becoming the most prolific threat group by the end of 2024.

Another significant development has been the increase in Linux-focused variants. Organizations' reliance on Linux is evident, with over 95% of Fortune 500 companies using Linux systems for cloud computing, virtual machines, and on-prem data centers.  

These platforms have become strategic targets. This shift has revealed security gaps, prompting organizations to enhance their defensive measures while ransomware groups continue refining their techniques for maximum impact and evasion.

Targeted Industries

Ransomware attacks remained a significant threat across sectors in 2024, with five industries bearing the brunt of these attacks. These key sectors accounted for 52.9% of all reported incidents:

• Manufacturing: 727 attacks

• Business services: 380 attacks

• Construction: 354 attacks

• Healthcare services: 330 attacks

• Retail: 189 attacks

Here's a detailed look at how some critical sectors were affected:

Healthcare Challenges

The healthcare industry faced its most challenging year yet with a record-high 67% attack rate. Third-party analysis has revealed 181 confirmed ransomware attacks that exposed 25.6 million healthcare records. The financial impact was severe.  

Average ransom demands were $5.7 million but actual payments averaged $900,000. In response to these escalating threats, the Department of Health and Human Services' Office for Civil Rights (OCR) has proposed updates to the HIPAA Security Rule.  

These new requirements would mandate stronger cybersecurity measures, including comprehensive technology asset management, enhanced risk analysis protocols, contingency planning, quick data recovery capabilities, regular security testing, and implementation of multi-factor authentication and encryption.

Education Sector Shows Promise

The education sector showed encouraging progress, with ransomware incidents declining from 188 attacks in 2023 to 116 in 2024, though these attacks still compromised 1.8 million records.  

Meanwhile, the FCC launched a $200 million pilot program in October 2024 to strengthen cybersecurity in schools and libraries. The program's two-step application process provides targeted support while collecting valuable data on existing security practices.

Government Sector's Rising Costs

State and local governments saw a significant drop in attack rates. Compared to 2023, attacks decreased by 51%, affecting 34% of organizations.  

However, the financial toll grew more severe as recovery costs increased to an average of $2.8 million this year. Most concerning was that when threat actors struck, they achieved the highest data encryption success rate of any sector.

Major Shifts in the Ransomware Landscape

Law enforcement agencies intensified their coordinated efforts against ransomware networks. Through strategic operations and unprecedented collaboration, authorities achieved significant victories against some of the most notorious threat actors.  

While these actions demonstrated law enforcement's growing capabilities, the ransomware landscape proved remarkably resilient, with operators continuing to innovate and adapt. One of the first major breakthroughs of 2024 came in the fight against BlackCat/ALPHV, marking the beginning of a year that would see multiple high-profile takedowns.

BlackCat/ALPHV Takedown

The U.S. Department of Justice (DOJ) launched a disruption campaign against BlackCat/ ALPHV, a ransomware group that had targeted over 1,000 victims worldwide. Their attacks on U.S. critical infrastructure had caused extensive damage.

As the world's second most prolific ransomware-as-a-service (RaaS) operation at the time, BlackCat/ALPHV had generated hundreds of millions in ransom payments. The FBI responded by developing a decryption tool that helped 500 victims restore their systems, preventing an estimated $68 million in ransom payments.

The DOJ's campaign represented a significant step in their broader fight against cybercrime. After gaining access to the BlackCat/ALPHV network, the FBI seized several of the group's websites. The DOJ emphasized that this disruption was just the first phase in their plan to dismantle the BlackCat/ALPHV ransomware ecosystem.

The BlackCat/ALPHV RaaS model operated through developers who created and maintained the ransomware, while affiliates conducted the attacks. The DOJ urged BlackCat victims to contact their local FBI field office for assistance. The FBI also published detailed information about the malware, including indicators of compromise and mitigation recommendations, on its website.

BlackCat/ALPHV suffered a major blow when its servers and negotiation sites were dismantled. During this disruption, an affiliate of the group known as “notchy” accused the ransomware gang of stealing $22 million in ransom payments from a major healthcare revenue management provider.

This affiliate claimed to possess 4TB of sensitive data from various insurance firms and service providers. A cryptocurrency wallet linked to notchy contained evidence of a substantial bitcoin payment, lending credibility to these claims.

Building on this momentum, law enforcement agencies turned their attention to an even bigger target which had long been considered the most sophisticated ransomware operation in history.

LockBit Takedown

At the start of 2024, LockBit was considered one of the most feared groups, operating with corporate-like efficiency. The group provided ransomware tools to other criminals through a Ransomware-as-a-Service (RaaS) model, where "affiliates" used the LockBit platform to launch attacks and split profits with the core team.

The group demonstrated its operational sophistication through continuous refinement of tools and tactics. The LockBit 3.0 variant was released in June 2022, showcased advanced anti-analysis capabilities, targeting both Windows and Linux systems, and used a modular design for flexible execution.  

The malware employed the Salsa20 encryption algorithm and gained initial access through Remote Desktop Protocol (RDP), then spread across networks using Group Policy Objects and PsExec via the SMB protocol.

LockBit primarily targeted large enterprises, especially in healthcare, financial services, and government sectors. Their ransom demands were among the highest recorded, reaching up to $70 million, with their operations generating hundreds of millions in illicit profits. Their strategy was ruthless.

The group's well-structured affiliate program, offering up to 75% of ransom payments, made it highly attractive to cybercriminals. However, sustained law enforcement pressure eventually weakened their affiliate network, limiting their ability to conduct large-scale attacks.

In an unprecedented move against this cybercriminal gang, law enforcement agencies launched a comprehensive operation to dismantle LockBit's criminal enterprise. Operation Cronos marked a pivotal moment in the fight against ransomware, targeting the group's core infrastructure and tools. Through careful planning and international cooperation, authorities delivered a decisive blow to LockBit operations, demonstrating the effectiveness of coordinated action against cybercrime.

In a landmark operation, the National Crime Agency (NCA) took down LockBit, considered the world's most dangerous ransomware organization. Through Operation Cronos, authorities successfully infiltrated LockBit's core systems and gained full control of their operations.

The operation's success provided the agency with full access to LockBit infrastructure including their attack platform and dark web leak site. Investigators obtained the group's source code and gathered critical intelligence about their operations and affiliate network.

The NCA then transformed the LockBit leak site into a public information hub, revealing the group's capabilities and providing victim support. The site was permanently shut down within a week. With over 1,000 decryption keys now in their possession, the agency offered to help victims recover their encrypted data.

LockBit 4.0

A December 2024 announcement where LockBit promised version 4.0 by February 3, 2025, and some samples have been seen in wild. Given the group's history of sophisticated tactics, successful affiliate programs, and devastating attacks, the return of LockBit could pose a significant challenge to global cybersecurity efforts.

Key Victories:

• Complete System Control: The NCA's infiltration gave them command over LockBit's entire network and dark web presence, turning the group's own platform against them.

• Critical Intelligence Gathered: Investigators captured LockBit's source code and detailed operational data, providing crucial evidence for ongoing investigations.

• Dismantling the Infrastructure: Working with international partners, the NCA seized Stealbit (LockBit's custom data theft tool) and took down 28 affiliate servers across three countries.

• Major Arrests Europol coordinated the capture of two operators in Poland and Ukraine, froze more than 200 cryptocurrency accounts, and the US Department of Justice charged multiple individuals including two Russian nationals for their involvement.

• Victim Recovery Support: The NCA, FBI, and Europol actively helped victims recover, with specialized support for UK-based organizations.

Operation Cronos struck a decisive blow against the LockBit network. By exposing their identities and shutting down their operations, law enforcement gained the upper hand. With access to decryption keys, authorities helped victims recover their data, demonstrating the effectiveness of international cooperation in fighting cybercrime.

While the NCA and its partners remain alert for any signs of LockBit trying to rebuild, this success proved that even the most advanced cyber threats can be defeated through global collaboration.

However, as the cybersecurity community celebrated these victories, a new threat was already emerging from the shadows of these takedowns.

The Emergence of RansomHub

After the downfall of these two major global ransomware threats, RansomHub quickly stepped in to fill the power vacuum. This Ransomware-as-a-Service RaaS group emerged in February 2024 and rapidly gained prominence through its aggressive and flexible affiliate program. RansomHub's strategy focused on maximizing profits through double extortion by encrypting victims' data while simultaneously stealing sensitive information to strengthen their ransom demands.

Through cybercrime forums like RAMP, RansomHub built a powerful network by recruiting former affiliates from the defunct Knight ransomware group and BlackCat/ALPHV operators. This assembly of experienced threat actors strengthened their capabilities.

As other high-profile groups like BlackCat/ALPHV and LockBit faced disruption from law enforcement, RansomHub seized the opportunity to expand. By July, they had become increasingly active, targeting high-value organizations and regularly posting new victims on their dark web leak sites. The rapid rise of RansomHub made them the top threat in 2024.

In August 2024, a joint cybersecurity advisory from the FBI, CISA, MS-ISAC, and HHS detailed RansomHub's operations. The group had executed at least 210 attacks across healthcare, government services, and financial sectors, stealing data and threatening its publication unless ransoms were paid.

The advisory outlined RansomHub operational methods. The group gained initial access through exploiting known vulnerabilities, launching phishing campaigns, and conducting password spraying attacks.  

After successfully infiltrating networks, they employed tools like AngryIPScanner, Nmap, and PowerShell to map network structures, establish persistent access through unauthorized accounts, and harvest sensitive credentials.

To help organizations defend themselves, the advisory provided Indicators of Compromise (IoCs) and recommended security measures. Even as law enforcement celebrated their victories against established threats, the cybersecurity landscape continued to evolve, highlighting the persistent nature of ransomware threats.

‍The Emergence of Linux Ransomware Variants

The landscape of Linux-targeted ransomware evolved dramatically throughout 2024. The year began with Play ransomware releasing a sophisticated Linux variant targeting VMware ESXi virtual machines. The threat featured a unique verification system for ESXi environments, making it particularly elusive on standard Linux systems.

As summer turned to fall, the Mallox ransomware group intensified the threat landscape by expanding from Windows to Linux and VMware ESXi environments with their "Mallox Linux 1.0" variant. Based on leaked Kryptina ransomware code, this new strain maintained similar encryption routines with minor modifications.  

Mallox's expansion revealed how Linux systems frequently lacked adequate security measures despite powering critical infrastructure including web servers, embedded devices, government networks, financial systems, and the internet backbone.

Linux environments proved increasingly vulnerable as attackers exploited weak SSH configurations, exposed ports, outdated software, and system misconfigurations. These weaknesses enabled attackers to establish persistence, move laterally within networks, and steal sensitive data.  

Linux's open-source architecture allowed attackers to customize their approaches, while these systems' constant availability made them perfect targets for network infiltration.

By November 2024, the Helldown Linux variant emerged as another significant threat. Halcyon first documented this "aggressive ransomware group" in mid-August. Unlike its Windows version which was derived from LockBit 3.0 and shared traits with DarkRace and DoNex, the Linux variant was notably simpler. It lacked obfuscation and anti-debugging mechanisms.  

It focused on file encryption and VM termination, though some functionality remained dormant, raising questions about its development stage. The absence of network communication and public keys created additional uncertainty about its decryption process.

Threat actors now launch sophisticated attacks across Windows and Linux environments alike, compelling security teams to broaden their defensive strategies. Organizations must now implement equally strong protections across their entire infrastructure to counter this coordinated, multi-platform approach to ransomware.

Key Takeaways

The events of 2024 paint a stark picture of ransomware's cyclical nature. As one threat falls, another rises to take its place. While the takedown of LockBit marked a significant victory, it quickly led to RansomHub's ascension.  

This pattern proves that fighting ransomware requires constant vigilance and adaptation. At the same time, the proliferation of Linux-targeted attacks has expanded the battlefield, forcing organizations to rethink their security paradigms across all platforms.

Perhaps the most valuable lesson from this year shows that success against threat actors demands both technological advancement and human collaboration. Operation Cronos demonstrated how international cooperation can dismantle even the most sophisticated threat operations.

The ransomware landscape is far from static. It presents an ever-evolving challenge that requires continuous learning and adaptation. Through sophisticated law enforcement operations or innovative security solutions, the cybersecurity community continues to rise, meeting these challenges head-on.

Continue following our Last Year in Ransomware series as we explore the impact of ransomware attacks and examine how organizations are strengthening their defenses against these evolving threats.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.