In 2024, international ransomware assaults hit 5,414, an 11% enhance from 2023.
After a gradual begin, assaults spiked in Q2 and surged in This autumn, with 1,827 incidents (33% of the yr’s complete). Regulation enforcement actions towards main teams like LockBit triggered fragmentation, resulting in extra competitors and an increase in smaller gangs. The variety of lively ransomware teams jumped 40%, from 68 in 2023 to 95 in 2024.
New Ransomware Teams to Watch
In 2023 there have been simply 27 new teams. 2024 noticed a dramatic rise with 46 new teams detected. Because the yr went on the variety of teams accelerated with This autumn 2024 having 48 teams lively.
Of the 46 new ransomware teams in 2024, RansomHub turned dominant, exceeding LockBit’s exercise. At Cyberint, now a Examine Level Firm, the analysis crew is continuously researching the newest ransomware teams and analyzing them for potential affect. This weblog will have a look at 3 new gamers, the aforementioned RansomHub, Fog and Lynx and study their affect in 2024 and delve into their origins and TTPs.
To find out about different new gamers obtain the 2024 Ransomware Report right here.
Ransomhub
RansomHub has emerged because the main ransomware group in 2024, claiming 531 assaults on its Information Leak Website since commencing operations in Feb 2024. Following the FBI’s disruption of ALPHV, RansomHub is perceived as its ‘non secular successor,’ probably involving former associates.
Working as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, and RansomHub enforces strict adherence to affiliate agreements, with non-compliance leading to bans and termination of partnerships. It presents a 90/10 ransom break up, Associates/Core Group.
Whereas claiming a world hacker group, RansomHub avoids focusing on CIS nations, Cuba, North Korea, China, and non-profits, exhibiting traits of a standard Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with different Russian ransomware teams in focused firms additional spotlight their possible connections to Russia’s cybercrime ecosystem.
Cyberint’s August 2024 findings point out a low fee fee: solely 11.2% of victims paid (20 of 190), with negotiations usually lowering calls for. RansomHub prioritizes assault quantity over fee charges, leveraging affiliate growth to make sure profitability, with the aim of producing substantial income over time regardless of low particular person fee success.
Malware, Toolset & TTPS
RansomHub’s ransomware, developed in Golang and C++, targets Home windows, Linux, and ESXi, distinguished by its quick encryption. Similarities to GhostSec’s ransomware recommend a pattern.
RansomHub ensures free decryption if associates fail to supply it post-payment or goal prohibited organizations. Their ransomware encrypts knowledge earlier than exfiltration. Potential ties to ALPHV are prompt by assault patterns, indicating comparable instruments and TTPs could possibly be used.
Sophos analysis highlights parallels with Knight Ransomware, together with Go-language payloads obfuscated with GoObfuscate and an identical command-line menus.
Fog Ransomware
Fog ransomware appeared in early April 2024, focusing on U.S. instructional networks by exploiting stolen VPN credentials. They use a double-extortion technique, publishing knowledge on a TOR-based leak web site if victims do not pay.
In 2024, they attacked 87 organizations globally. An Arctic Wolf report from November 2024 confirmed Fog initiated no less than 30 intrusions, all through compromised SonicWall VPN accounts. Notably, 75% of those intrusions had been linked to Akira, with the remainder attributed to Fog, suggesting shared infrastructure and collaboration.
Fog primarily targets training, enterprise companies, journey, and manufacturing, with a give attention to the U.S. Apparently, Fog is likely one of the few ransomware teams that prioritize the training sector as their major goal.
Fog ransomware has demonstrated alarming velocity, with the shortest noticed time from preliminary entry to encryption being simply two hours. Its assaults comply with a typical ransomware kill chain, encompassing community enumeration, lateral motion, encryption, and knowledge exfiltration. Variations of the ransomware exist for each Home windows and Linux platforms.
IOCs
| Sort | Worth | Final Statement Date |
| IPv4-Addr | 107.161.50.26 | Nov 28, 2024 |
| SHA-1 | 507b26054319ff31f275ba44ddc9d2b5037bd295 | Nov 28, 2024 |
| SHA-1 | e1fb7d15408988df39a80b8939972f7843f0e785 | Nov 28, 2024 |
| SHA-1 | 83f00af43df650fda2c5b4a04a7b31790a8ad4cf | Nov 28, 2024 |
| SHA-1 | 44a76b9546427627a8d88a650c1bed3f1cc0278c | Nov 28, 2024 |
| SHA-1 | eeafa71946e81d8fe5ebf6be53e83a84dcca50ba | Nov 28, 2024 |
| SHA-1 | 763499b37aacd317e7d2f512872f9ed719aacae1 | Nov 28, 2024 |
| SHA-1 | 3477a173e2c1005a81d042802ab0f22cc12a4d55 | Feb 02, 2025 |
| SHA-1 | 90be89524b72f330e49017a11e7b8a257f975e9a | Nov 28, 2024 |
| Area-Title | gfs302n515.userstorage.mega.co.nz | Nov 28, 2024 |
| SHA-256 | e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3 | Aug 20, 2024 |
Lynx
Lynx is a double-extortion ransomware group that has been very lively recently, displaying many victimized firms on their web site. They state that they keep away from focusing on authorities organizations, hospitals, non-profit teams, and different important social sectors.
As soon as they achieve entry to a system, Lynx encrypts information, appending the “.LYNX” extension. They then place a ransom observe named “README.txt” in a number of directories. In 2024 alone, Lynx claimed greater than 70 victims, demonstrating their continued exercise and important presence within the ransomware panorama.
IOCs
| Sort | Worth | Final Statement Date |
| MD5 | e488d51793fec752a64b0834defb9d1d | Sep 08, 2024 |
| Area-Title | lynxback.professional | Sep 08, 2024 |
| Area-Title | lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion | Sep 08, 2024 |
| Area-Title | lynxblog.internet | Sep 08, 2024 |
| IPv4-Addr | 185.68.93.122 | Sep 08, 2024 |
| IPv4-Addr | 185.68.93.233 | Sep 08, 2024 |
| MD5 | 7e851829ee37bc0cf65a268d1d1baa7a | Feb 17, 2025 |
What’s to Are available 2025?
As a result of crackdown on ransomware teams, essentially the most new teams on file have appeared, in search of to make a reputation for themselves. In 2025, Cyberint anticipates a number of of those newer teams to boost their capabilities and emerge as dominant gamers, not simply RansomHub.
Learn Cyberint, now a Examine Level Firm’s 2024 Ransomware Report for the highest focused industries and international locations, a breakdown of the highest 3 ransomware teams, ransomware households value noting, newcomers to the business, arrests and information, and 2025 forecasts.
Learn the 2024 Ransomware Report back to Acquire Detailed Insights and Extra.