In 2024, world ransomware assaults hit 5,414, an 11% improve from 2023.
After a gradual begin, assaults spiked in Q2 and surged in This fall, with 1,827 incidents (33% of the yr’s complete). Regulation enforcement actions towards main teams like LockBit induced fragmentation, leading to more competition and a rise in smaller gangs. The variety of energetic ransomware teams jumped 40%, from 68 in 2023 to 95 in 2024.
New Ransomware Teams to Watch
In 2023 there have been simply 27 new teams. 2024 noticed a dramatic rise with 46 new teams detected. Because the yr went on the variety of teams accelerated with This fall 2024 having 48 teams energetic.
Of the 46 new ransomware teams in 2024, RansomHub grew to become dominant, exceeding LockBit’s exercise. At Cyberint, now a Verify Level Firm, the analysis group is constantly researching the latest ransomware groups and analyzing them for potential affect. This weblog will take a look at 3 new gamers, the aforementioned RansomHub, Fog and Lynx and study their affect in 2024 and delve into their origins and TTPs.
To learn about other new players download the 2024 Ransomware Report here.
Ransomhub
RansomHub has emerged because the main ransomware group in 2024, claiming 531 assaults on its Knowledge Leak Website since commencing operations in Feb 2024. Following the FBI’s disruption of ALPHV, RansomHub is perceived as its ‘non secular successor,’ probably involving former associates.
Working as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, and RansomHub enforces strict adherence to affiliate agreements, with non-compliance leading to bans and termination of partnerships. It provides a 90/10 ransom cut up, Associates/Core Group.
Whereas claiming a worldwide hacker group, RansomHub avoids focusing on CIS nations, Cuba, North Korea, China, and non-profits, exhibiting traits of a conventional Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with different Russian ransomware teams in focused corporations additional spotlight their probably connections to Russia’s cybercrime ecosystem.
Cyberint’s August 2024 findings point out a low fee price: solely 11.2% of victims paid (20 of 190), with negotiations usually lowering calls for. RansomHub prioritizes assault quantity over fee charges, leveraging affiliate growth to make sure profitability, with the aim of producing substantial income over time regardless of low particular person fee success.
Malware, Toolset & TTPS
RansomHub’s ransomware, developed in Golang and C++, targets Home windows, Linux, and ESXi, distinguished by its quick encryption. Similarities to GhostSec’s ransomware counsel a pattern.
RansomHub ensures free decryption if associates fail to supply it post-payment or goal prohibited organizations. Their ransomware encrypts knowledge earlier than exfiltration. Potential ties to ALPHV are advised by assault patterns, indicating related instruments and TTPs might be used.
Sophos analysis highlights parallels with Knight Ransomware, together with Go-language payloads obfuscated with GoObfuscate and an identical command-line menus.
Fog Ransomware
Fog ransomware appeared in early April 2024, focusing on U.S. academic networks by exploiting stolen VPN credentials. They use a double-extortion technique, publishing knowledge on a TOR-based leak web site if victims do not pay.
In 2024, they attacked 87 organizations globally. An Arctic Wolf report from November 2024 confirmed Fog initiated no less than 30 intrusions, all by way of compromised SonicWall VPN accounts. Notably, 75% of those intrusions have been linked to Akira, with the remainder attributed to Fog, suggesting shared infrastructure and collaboration.
Fog primarily targets training, enterprise companies, journey, and manufacturing, with a give attention to the U.S. Apparently, Fog is without doubt one of the few ransomware teams that prioritize the training sector as their major goal.
Fog ransomware has demonstrated alarming velocity, with the shortest noticed time from preliminary entry to encryption being simply two hours. Its assaults observe a typical ransomware kill chain, encompassing community enumeration, lateral motion, encryption, and knowledge exfiltration. Variations of the ransomware exist for each Home windows and Linux platforms.
IOCs
| Kind | Worth | Final Commentary Date |
| IPv4-Addr | 107.161.50.26 | Nov 28, 2024 |
| SHA-1 | 507b26054319ff31f275ba44ddc9d2b5037bd295 | Nov 28, 2024 |
| SHA-1 | e1fb7d15408988df39a80b8939972f7843f0e785 | Nov 28, 2024 |
| SHA-1 | 83f00af43df650fda2c5b4a04a7b31790a8ad4cf | Nov 28, 2024 |
| SHA-1 | 44a76b9546427627a8d88a650c1bed3f1cc0278c | Nov 28, 2024 |
| SHA-1 | eeafa71946e81d8fe5ebf6be53e83a84dcca50ba | Nov 28, 2024 |
| SHA-1 | 763499b37aacd317e7d2f512872f9ed719aacae1 | Nov 28, 2024 |
| SHA-1 | 3477a173e2c1005a81d042802ab0f22cc12a4d55 | Feb 02, 2025 |
| SHA-1 | 90be89524b72f330e49017a11e7b8a257f975e9a | Nov 28, 2024 |
| Area-Title | gfs302n515.userstorage.mega.co.nz | Nov 28, 2024 |
| SHA-256 | e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3 | Aug 20, 2024 |
Lynx
Lynx is a double-extortion ransomware group that has been very energetic recently, displaying many victimized corporations on their web site. They state that they keep away from focusing on authorities organizations, hospitals, non-profit teams, and different important social sectors.
As soon as they achieve entry to a system, Lynx encrypts recordsdata, appending the “.LYNX” extension. They then place a ransom word named “README.txt” in a number of directories. In 2024 alone, Lynx claimed greater than 70 victims, demonstrating their continued exercise and vital presence within the ransomware panorama.
IOCs
| Kind | Worth | Final Commentary Date |
| MD5 | e488d51793fec752a64b0834defb9d1d | Sep 08, 2024 |
| Area-Title | lynxback.professional | Sep 08, 2024 |
| Area-Title | lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion | Sep 08, 2024 |
| Area-Title | lynxblog.internet | Sep 08, 2024 |
| IPv4-Addr | 185.68.93.122 | Sep 08, 2024 |
| IPv4-Addr | 185.68.93.233 | Sep 08, 2024 |
| MD5 | 7e851829ee37bc0cf65a268d1d1baa7a | Feb 17, 2025 |
What’s to Are available 2025?
As a result of crackdown on ransomware teams, probably the most new teams on file have appeared, in search of to make a reputation for themselves. In 2025, Cyberint anticipates a number of of those newer teams to boost their capabilities and emerge as dominant gamers, not simply RansomHub.
Learn Cyberint, now a Verify Level Firm’s 2024 Ransomware Report for the highest focused industries and nations, a breakdown of the highest 3 ransomware teams, ransomware households price noting, newcomers to the business, arrests and information, and 2025 forecasts.
