Last Year in Ransomware: Top Ransomware Groups and Emerging Threat Actors

In the first installment of the Last Year in Ransomware series, we examined key developments across industries and the evolution of attack methodologies, and the second in the series covered major developments, targeted Industries, and the emergence of Linux variants.

This round we look at how the ransomware landscape experienced unprecedented evolution in 2024 characterized by aggressive new players, innovative attack strategies, and persistent threats across sectors. Below, we dove into the dominant groups that reshaped cybersecurity, their sophisticated methods, and the far-reaching implications for global digital safety.

Threat actors have demonstrated remarkable innovation and precisely targeted critical infrastructure with devastating effect. While established groups refined their tactics to maximize impact, newcomers emerged with disruptive approaches that challenged traditional defense mechanisms, as exemplified by RansomHub's rapid rise alongside established threats like Play, Akira, and BlackBasta.

This investigation reveals their advanced tactics, including double extortion schemes, state-of-the-art encryption methods, and strategic targeting of vulnerable sectors such as healthcare and government services.

Top Ransomware Groups of 2024

2024 has been a watershed year for ransomware, marked by rapid evolution in attack methods and unprecedented levels of sophistication, as outlined in the Power Rankings: Ransomware Malicious Quartile report.

Major ransomware groups have elevated their operations through innovative tactics and strategic targeting, presenting new challenges for global cybersecurity. Understanding these significant developments is crucial for organizations to strengthen their defenses against an increasingly complex threat landscape.

RansomHub

Since its launch, RansomHub has rapidly emerged as one of the most active ransomware groups, becoming the most prolific among tracked RaaS groups in Q4 2024. The group has issued substantial ransom demands, with organizations facing demands up to $22 million. Their initial focus on the healthcare sector demonstrates strategic targeting, exploiting the high value and sensitive nature of medical data.

RansomHub, a RaaS platform that emerged in early 2024, has swiftly garnered attention for its high-impact attacks and advanced ransomware deployment techniques. Initially suspected of having connections to LockBit due to similarities in operational style, closer examination reveals that its code bears a strong resemblance to that of the now-defunct Knight group.

The platform has distinguished itself by offering affiliates up to 90% of ransom payments, making it highly attractive to potential partners. RansomHub enforces stringent policies within its affiliate network, mandating that affiliates adhere to agreements made with victims during negotiations.  

Failure to comply with these agreements can result in permanent bans from the platform. This strict policy underscores RansomHub’s commitment to maintaining a structured and reliable operational model, even as it continues to develop its reputation in the ransomware landscape.‍

RansomHub's tactical playbook reveals their technical sophistication. They leverage Fortinet FortiOS and FortiProxy SSL-VPN vulnerabilities (CVE-2023-27997) while conducting brute-force campaigns against RDP and VPN services.  

Post-compromise, they deploy EDRKillShifter to neutralize security solutions, wielding PowerShell and WMI for command execution and persistence. Their methodical approach includes network reconnaissance via Nmap and AngryIPScanner, lateral movement through PsExec and RDP, and credential harvesting with Mimikatz.

RansomHub's encryption arsenal combines Curve25519, ChaCha20, and AES algorithms. They methodically eliminate volume shadow copies and backups, leaving victims with few options beyond considering their demands.

Play

Play Ransomware emerged in June 2022 and quickly established itself as one of the most technically sophisticated ransomware groups. Through innovative tactics and targeted campaigns, Play stands apart from affiliate-based Ransomware-as-a-Service (RaaS) groups by maintaining a closed operational structure. This approach maximizes operational secrecy and precision while reducing attribution risks.

The group's most notable innovation is their intermittent encryption technique, which encrypts only portions of files. This approach reduces encryption time and makes detection by endpoint defenses significantly more challenging. Through hundreds of confirmed attacks, Play has targeted high-value sectors, causing widespread disruption and substantial financial losses.

As Play's capabilities expanded, they became one of the most active and innovative groups in the RaaS space by Q2 2024. Following the tactical playbook of defunct groups like Hive and Nokoyawa, they primarily exploit unpatched Fortinet SSL VPN vulnerabilities to gain initial network access.

Play enhanced its capabilities by exploiting critical vulnerabilities in Microsoft Exchange (ProxyNotShell, OWASSRF) and other systems. Their swift adaptation to new attack vectors established them as a formidable threat. A joint FBI-CISA advisory in early 2024 revealed that Play had executed over 300 successful compromises since June 2022, demonstrating their expertise in vulnerability exploitation.

In response to evolving security landscapes, Play shifted their focus toward enterprise infrastructure, specifically targeting VMware ESXi virtual machines with their Linux-based variant, as detailed in our Linux in Ransomware '24 section. While their activity has decreased compared to 2023 peaks, this strategic evolution demonstrates Play's resilience and adaptability.

Most significantly, Play's capabilities expanded further in 2024 through a partnership with APT 45, a North Korean state-sponsored hacking group. By incorporating APT 45's advanced techniques in credential harvesting, lateral movement, and privilege escalation, Play strengthened their ransomware operations. This alliance represents a significant convergence between ransomware groups and nation-state actors.

Akira

Akira made its mark in the Ransomware-as-a-Service (RaaS) landscape in 2023. Through a double extortion model, Akira encrypts and threatens to expose sensitive data, demanding payments from $200,000 to $4 million.  

Affiliates use Akira’s tools, while Akira manages negotiations and payments, making it accessible for seasoned operators. The group targets sectors with high-stakes data, including healthcare, finance, education, and manufacturing across North America, Europe, and Australia.

Its recent addition of a Rust-based Linux variant for VMware ESXi environments marks Akira’s commitment to cross-platform targeting. Although likely inspired by Conti’s infrastructure and methodologies, Akira operates independently, marked by advanced technical abilities and a strategic approach tailored toward sectors with significant operational dependencies and highly sensitive data.

Since its inception, Akira has scaled quickly, establishing itself as one of the most active ransomware organizations on the global stage. By early 2024, Akira had allegedly targeted over 300 organizations and amassed more than $50 million in ransom payments, categorizing it among the highest-earning ransomware groups currently active.

During our Q4 Ransomware Malicious Quartile analysis, we identified Ransomware.akira/dacic as a notable threat. This potent ransomware strain from the Akira group uses aggressive tactics and evolving techniques. It scans networks for critical assets, disables security tools and encrypts files with strong algorithms while adding a distinct file extension.  

The malware performs data exfiltration before encryption, leaving victims vulnerable to data breaches even with backups in place. Through process obfuscation and antivirus evasion, its stealth features allow it to bypass traditional security measures.

BlackBasta

BlackBasta, a prominent ransomware-as-a-service (RaaS) group that emerged in early 2022, is known for its aggressive tactics, technical proficiency, and double extortion model. Throughout 2024, BlackBasta has remained one of the most prolific attack groups, leveraging unique tactics for gaining access, moving laterally, exfiltrating data, and deploying ransomware payloads.

The group has been observed exploiting vulnerabilities like ConnectWise (CVE-2024-1709) and VMware ESXi, while also using social engineering methods such as email bombing and impersonation. Their ransomware, developed in C++, targets both Windows and Linux systems and employs advanced encryption techniques. BlackBasta utilizes various tools like SystemBC and Cobalt Strike to facilitate their attacks.

BlackBasta typically targets industries like manufacturing, transportation, construction, telecommunications, automotive, and healthcare.

In December**, BlackBasta** shifted its tactics from email-based phishing to social engineering attacks through Microsoft Teams. The group impersonates IT help desk staff on Teams, convincing victims to install remote access tools like Quick Assist or AnyDesk. This allows them to deploy malware and infiltrate networks, effectively bypassing traditional email security defenses.

Emerging Ransomware Groups

The cybersecurity threat landscape has evolved significantly, with three distinct types of malicious actors emerging. Traditional ransomware operators deploy malicious software that encrypts victims' systems and data, demanding payment for restoration. This model has given rise to a more sophisticated approach called Ransomware as a Service (RaaS), where developers provide their malicious tools to affiliates who execute attacks and share the resulting profits.

Adding to these concerns are data brokers, who focus exclusively on stealing sensitive information to sell on dark web marketplaces, presenting a different but equally serious threat to organizations' digital assets. Understanding these various threat actors and their methods is crucial for developing effective defense strategies.

Crypto-Ransomware, Data Broker, Ransomware-as-a-Service (RaaS)

‍These groups encrypt files, steal data, and operate under an affiliate-based RaaS model:

• RansomHub: RansomHub, a ransomware-as-a-service group that emerged in February 2024, quickly rose to prominence by employing sophisticated tactics, including a double-extortion model and a unique affiliate payment structure, to become one of the most notorious cybercriminal threats targeting critical sectors worldwide

• ArcusMedia: Emerging in May 2024, ArcusMedia is a sophisticated ransomware group that employs advanced privilege escalation techniques, targeted process termination, and selective encryption methods to maximize disruption and extortion potential in their attacks

• Flocker: Emerged in April 2024 and is a Ransomware-as-a-Service (RaaS) operation that employs double extortion tactics and maintains communication through a Telegram group and an Onion site. Tied to FSociety ransomware.

• Lynx: Emerged in July 2024 as a rebranded variant of INC ransomware, employing double extortion tactics, advanced encryption, and selective targeting of industries like finance, manufacturing, and architecture, while avoiding socially critical sectors.

• Cicada3301: A sophisticated ransomware-as-a-service (RaaS) operation that emerged in June 2024. It targets critical sectors across the US and UK, utilizing multi-platform capabilities, advanced encryption techniques, and a sophisticated affiliate program.

Crypto-Ransomware, Data Broker

These groups combine data encryption with extortion through stolen data leaks:

• BrainCipher: Emerged in April 2024 using a variant of LockBit 3.0 ransomware for data encryption and exfiltration. The group gained notoriety after disrupting Indonesian government services in June 2024.

• Sarcoma: Emerging in October 2024, Sarcoma ransomware quickly became a major threat actor, claiming over 40 victims in its first month through aggressive tactics and sophisticated attack methods.

• Interlock: First spotted in September 2024, Interlock ransomware is a sophisticated cross-platform threat targeting critical infrastructure and large organizations worldwide. It distinguishes itself through double-extortion tactics and the ability to encrypt FreeBSD servers.

• Hellcat: A sophisticated group that emerged in mid-2024, known for aggressive double-extortion tactics. They use advanced techniques including multi-stage PowerShell infection chains, reflective code loading, and AMSI bypasses to evade detection and maintain persistence.

• SafePay: Emerging in October 2024, this LockBit-based malware adds the ".safepay" extension to encrypted files. The group steals sensitive data and demands cryptocurrency payment, threatening to publish stolen information if demands aren't met.

• Morpheus: Emerged in September 2024 as a semi-private Ransomware-as-a-Service (RaaS) operation targeting pharmaceutical and manufacturing industries. The group specializes inattacking virtual ESXi environments, demanding ransoms up to 32 BTC ($3 million USD).

Data Brokers

These groups exclusively focus on stealing and selling data without deploying ransomware for file encryption:

• APT73: also known as Bashe, is a ransomware group that emerged in mid-April 2024, employing LockBit-inspired tactics and a TOR-based data leak site to target various industries across developed nations, while self-proclaiming as an Advanced Persistent Threat.

• SpaceBears: A data broker ransomware group that emerged in April 2024, distinguished by its unique "corporate" facade on its data leak site. The group leverages Phobos Ransomware-as-a-Service infrastructure to conduct double extortion attacks against diverse victims.

• Termite: A data broker and extortion group that emerged in late 2024. They use a modified version of Babuk ransomware to target diverse industries globally. Their most significant operation was a November 2024 attack that disrupted major supply chains.

• Volcano Demon is a new ransomware group first identified by the Halcyon RISE team that had been found active in July 2024. They use LukaLocker, a ransomware that encrypts files with the .nba extension, and have been successful in locking both Windows workstations and servers. They use double extortion techniques, exfiltrating data before encrypting it and then threatening to leak it if a ransom is not paid. They also use phone calls to leadership and IT executives to extort and negotiate payment.

Takeaway

The 2024 ransomware landscape has evolved into an intricate network of sophisticated criminal enterprises. Established groups such as RansomHub, BlackBasta, Play, and Akira have refined their operations by leveraging ransomware-as-a-service platforms with ruthless efficiency. Their collaborative approach has transformed isolated cybercrime into a streamlined, profit-driven industry.

Most concerning is their calculated assault on critical sectors. Healthcare providers, financial institutions, and government agencies have become prime targets. These organizations' reliance on continuous operations and sensitive data creates an acute vulnerability. Threat actors exploit this leverage point methodically because they know service disruptions and data breaches often compel organizations to yield to their demands.

The threat landscape has grown more complex as newcomers like Volcano Demon emerge with remarkable sophistication. While embracing proven tactics like double extortion, they also pioneer innovative approaches. Through meticulously crafted social engineering campaigns and rapid exploitation of vulnerabilities, these emerging groups demonstrate their capability to execute equally devastating attacks.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.