Threat Intelligence 101

Most Popular Ransomware Groups

Posted: 22nd July 2024
By: Esteban Borges

Ransomware groups are cybercriminals that demand money from organizations by stealing, encrypting, and threatening to leak data. As ransomware gangs get more aggressive with their tactics, their impact on organizations globally is significant. This article covers the top ransomware groups to watch in 2024, including their methods and biggest attacks. Knowing these groups helps you defend better.

Quick Facts

  • LockBit, RansomHub, PLAY, Hunters International, and Akira are the most active and impactful ransomware families in 2024.
  • Ransomware groups use advanced tactics, like double and triple extortion, and often exploit software vulnerabilities to get in and demand ransoms.
  • New ransomware groups like Meow, KillSec, DragonForce, Cicada3301, among others, are bringing new tricks and complexity, so you need to be vigilant and have adaptive cybersecurity practices.

Most Notorious Ransomware Groups

Ransomware is getting more and more attention and causing financial and reputational damage to organizations worldwide. Attacks involving ransomware have surged by over 70% from 2022 to 2023. Ransomware gangs operate as ransomware-as-a-service, targeting specific industries and developing new encryption techniques, significantly impacting businesses and organizations globally.

In 2023 ransomware reached an all-time high with a massive increase in ransom payments and attacks. And, the average ransom demand per attack in the first half of 2024 is over $5.2 million.

Among the most active ransomware families LockBit, RansomHub, PLAY, Hunters International, and Akira were the most frequent and impactful. Other dangerous ransomware groups like BianLian, BlackSuit, Meow, 8Base, and others also made an appearance and contributed to the growing ransomware threat.

As ransomware groups evolve new players are emerging:

  • Medusa
  • BianLian
  • 8Base
  • INC Ransom
  • Qilin
  • Rhysida
  • Cactus

These new threat actors bring new methods and motives to the table. Knowing their operations and tactics is key to defending against their payloads and extortion attacks.

LockBit Ransomware Group

Despite significant law enforcement action in early 2024, LockBit is still leading the charge in ransomware attacks globally and remains the most dominant ransomware group. While much of this activity has to do with the leaked LockBit 3.0 builder and the global proliferation of this ransomware family among unrelated groups, LockBit still claims responsibility for more attacks than anyone else. They show no signs of slowing down and are using multiple ransomware variants and advanced techniques to get in.

One of the most notable LockBit ransomware attacks was on Royal Mail in early 2023. This attack caused a 6-week disruption to international shipping with the initial ransom demand of £65.7 million and later reduced to £33 million. Another big one was on TSMC in June 2023 where LockBit demanded a $70 million ransom.

LockBit 3.0 is the latest version and continues to exploit vulnerabilities through phishing and social engineering. The ransomware group operates in North America, Europe, and the Asia-Pacific region making it a global threat. With 1,700 US attacks since 2020 and around $91 million in ransom payments collected, LockBit is a force to be reckoned with.

RansomHub Ransomware Group

RansomHub is an emerging ransomware group that has quickly gained notoriety due to its attacks on critical infrastructure around the world. First observed in early 2024, the group employs double-extortion tactics, not only encrypting victim data but also threatening to leak sensitive information if ransoms are not paid. RansomHub has targeted industries across North America, Europe, and Asia, focusing on sectors with critical infrastructure, such as healthcare, manufacturing, and education. One of their distinguishing features is their use of custom ransomware variants that are frequently updated to evade detection by security tools. They have also been known to exploit vulnerabilities in remote desktop protocols (RDP) and virtual private networks (VPNs) to gain initial access.

One of the most notable RansomHub attacks includes the attack on oil and gas services giant Halliburton in August 2024. As the group continues to grow in prominence, their global reach and evolving tactics make them a significant threat to organizations with outdated or vulnerable security measures. With the rise of RansomHub, security experts are closely monitoring their activities, as they show no signs of slowing down.

PLAY Ransomware Group

The PLAY ransomware group emerged in mid-2022 and quickly established itself as a serious threat in the ransomware landscape. Known for its aggressive tactics and well-coordinated attacks, PLAY primarily targets critical sectors such as government agencies, financial institutions, and healthcare organizations. The group employs a double-extortion model, encrypting data while threatening to publicly release sensitive information if the ransom isn’t paid. PLAY has become notorious for exploiting vulnerabilities in remote access systems and unpatched software, particularly through tools like Cobalt Strike for lateral movement within networks.

One of the group’s most significant attacks occurred in late 2022 when they targeted a major South American city’s municipal services, disrupting government functions for several weeks. With their use of sophisticated encryption algorithms and persistence techniques, PLAY is particularly difficult to detect and mitigate. Their international reach, targeting organizations across North America, Europe, and Latin America, has drawn the attention of cybersecurity experts and law enforcement. PLAY continues to evolve, frequently adapting its tactics to bypass security defenses, making it a growing concern for organizations with weak or outdated security measures.

Hunters International Ransomware Group

Hunters International is a relatively new ransomware group that emerged in 2023 and quickly gained attention due to its targeted, high-stakes attacks on global corporations and critical infrastructure. The group follows the double-extortion model, encrypting victim data while threatening to leak it if their ransom demands are not met. Many researchers believe that Hunters International is a direct successor to the now-defunct Hive ransomware group. Hunters International is known for its methodical approach, often spending weeks or months inside a network to identify and exfiltrate the most sensitive data before launching their encryption payload. They exploit vulnerabilities in remote access tools and unpatched software, making them particularly dangerous to organizations with weak cybersecurity practices.

Hunters International is highly selective in its targets, typically going after large enterprises with the capacity to pay substantial ransoms. Their increasing sophistication and use of custom-built ransomware variants have made them a growing concern for cybersecurity professionals, as they continue to adapt and refine their tactics to evade detection and maximize impact.

Akira Ransomware Group

The Akira ransomware group, first identified in early 2023, has rapidly gained attention for its effective double-extortion tactics, targeting organizations across a wide range of industries, including healthcare, education, and technology. Akira is known for encrypting critical data and exfiltrating sensitive information, threatening to publish it if the ransom is not paid. The group typically gains initial access by exploiting vulnerabilities in remote desktop services (RDP) and virtual private networks (VPNs), often leveraging stolen credentials or unpatched systems.

Akira has been estimated to have earned over $42 million in revenue from over 250 attacks on organizations located around the world. The group is characterized by its aggressive negotiation tactics and rapid adaptation of ransomware variants to bypass security defenses. Akira’s activity spans North America, Europe, and parts of Asia, with a focus on organizations that have weaker cybersecurity postures or outdated systems. As they continue to evolve, Akira remains a significant threat, particularly for organizations unprepared to defend against sophisticated and persistent ransomware attacks.

Emerging Ransomware Groups

The ransomware landscape is always changing with new groups emerging and posing threats. Groups are always changing, rebranding, and collaborating. The ransomware ecosystem is constantly evolving and in flux, as groups will appear and disappear quickly – making it difficult for defenders to continuously monitor.

Emerging ransomware gangs are developing new encryption techniques and having a significant financial impact on businesses. These emerging groups and platforms bring new and interesting ways to attack so organizations need to be on their toes and adjust their cybersecurity accordingly. As they evolve, understanding their modus operandi and targets will be key to mitigating the impact.

How Ransomware Groups Work

Ransomware groups use various ways to breach and deploy malware. These include ransomware-as-a-service (RaaS), double and triple extortion and software vulnerability exploitation. Understanding these is key to building defenses against ransomware.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-service (RaaS) allows cybercriminals to use the skills and infrastructure of others to do things beyond their capabilities. In the cybercrime world, developers create RaaS tools to rent to other malicious actors and amplify the frequency and impact of ransomware attacks. This has made ransomware more accessible to less technical criminals to attack big time.

Double and Triple Extortion

Double extortion involves cybercriminals encrypting sensitive data and threatening to publicize it unless a ransom is paid. Maze ransomware was famous for this tactic as it will release stolen data publicly if the ransom isn’t paid after encrypting the victim’s data. This adds more pressure to the victim and makes them more likely to pay the ransom.

Triple-extortion, which will become more common, adds another layer of pressure by threatening to conduct distributed denial-of-service (DDoS) attacks or extort third-party individuals and organizations affected by the data theft. REvil, for example, would delete shadow copies and disable recovery mode so system restoration is not possible making it harder for the victim to recover.

Exploiting Software Vulnerabilities

Exploiting software vulnerabilities is a common tactic among these groups to get initial access and deploy their malware. In this case, access brokers play a big role in finding vulnerabilities and selling access to cybercriminal groups. REvil was first delivered via Oracle WebLogic vulnerabilities (CVE-2019-2725) but later expanded to RDP attacks and spam campaigns.

Once initial access is gained threat groups can exploit specific vulnerabilities to escalate privileges and move laterally across the network. This allows them to maximize the damage and increase the chances of getting paid by targeting critical systems and data.

Big Ransomware Attacks

Big ransomware attacks have shown the global reach of these threats. WannaCry in 2017 exploited a Microsoft Windows vulnerability and spread fast, affecting many organizations worldwide including hospitals. It became one of the largest attacks in 2017, accumulating a loss of $4 billion.

In 2018 the city of Atlanta was crippled by the SamSam ransomware and public services were down and thousands of employees couldn’t access their computers. The Colonial Pipeline attack by the DarkSide ransomware group caused a major fuel supply disruption in the US, showing how critical infrastructure is vulnerable to this type of attack.

These big incidents show the importance of having good cybersecurity and being ready. Understanding the tactics and impact of these ransomware operations will help organizations improve their defenses and response and mitigate the risks of ransomware.


Big Ransomware Attacks


How to Protect Against Ransomware

Protecting against ransomware involves a multi-layered approach that includes Multi-Factor Authentication (MFA), regular data backups and comprehensive cybersecurity training and awareness programs. With 76% of organizations experiencing exploits of unknown or poorly managed internet-facing assets, proper protection needs to be set and maintained. These will reduce the risk of ransomware infection and make organizations more prepared to respond to attacks.

Implementing Multi-Factor Authentication (MFA)

Multi-Factor authentication (MFA) requires users to provide two or more verification factors to access a resource which can be something a user knows, possesses, or inherently is. This will strengthen security by greatly reducing the risk of unauthorized access even if passwords are compromised.

MFA can prevent unauthorized access by adding more verification layers so it’s a must-have in any cybersecurity strategy. Businesses that implement MFA not only protect their systems but also gain public trust in their digital services showing they care about security.

Regular Data Backups

Regular data backups are key to minimizing the impact of ransomware. When addressing data backup, Allan Liska says:

“What I think started to happen is it started to sink in, and that more people were doing this, which meant fewer people were paying the ransom”

which is a good sign showing that organizations want to have their data safe.

The 3-2-1 backup rule is a common practice which means having three data copies, two different types of media and one copy offsite. This way data can be restored without paying a ransom, reducing downtime and data loss.

With 93% of ransomware attacks targeting backups, making sure backups are secure is also crucial. Backups must be stored offline or in the cloud to be protected from ransomware. Here are some best practices for backup storage and maintenance:

  • Store backups offline or in the cloud so ransomware can’t access them.
  • Encrypt offsite backups so nobody can access them.
  • Use automated backup solutions to reduce human error in data protection.
  • Regularly maintain and test backups in case of attack.

Cybersecurity Training

Comprehensive cybersecurity training and awareness is key to preventing ransomware infections. Since human error is the number one cause of data breaches, employees must be trained to identify and react to security threats.

To improve their ability to identify and respond to real-time security threats employees should:

  • Receive regular training on cybersecurity best practices
  • Participate in simulated attacks to practice their response
  • Stay updated on the latest security threats and trends

By doing this organizations will reduce the risk of ransomware infection.

Training should include:

  • Recognizing phishing attempts which is a common vector for ransomware
  • Regularly updated training programs to ensure employees are aware of the latest ransomware tactics
  • Simulated phishing tests to help employees identify and avoid threats in real-time

Creating a cybersecurity awareness culture within an organization is key to minimizing the risk of ransomware attacks.

What to Do If You’re a Victim of Ransomware

If you get hit by ransomware, act fast. Isolate the compromised device from all internet and local network connections to stop the ransomware from spreading. Disconnect any infected computers or servers from the network and turn off wireless connections.

To respond to a ransomware attack:

  1. Don’t reboot or perform maintenance on affected machines as this can cause permanent data loss for ransomware victims.
  2. Report the ransomware attack to local FBI field offices and anti-malware software providers for assistance.
  3. You can also try data recovery using available decryption tools. Doing this can help contain the attack and recover some of the encrypted data.

FAQs

Who are the most active ransomware groups in 2024?

In 2024 the most active ransomware groups to watch are LockBit, RansomHub, PLAY, Hunters International, and Akira. Groups to watch include Medusa, BianLian, 8Base, INC Ransom, Qilin, Rhysida, Cactus.

How do ransomware groups get into networks?

Ransomware groups get into networks through phishing emails, software vulnerabilities, compromised credentials, social engineering, and by buying access from access brokers. Be vigilant and have robust security in place to prevent this.

Wrapping up

Ransomware is one of the biggest threats in 2024. Knowing how LockBit, PLAY, Hunters International, RansomHub, and Akira ransomware groups work and the emerging groups is key to developing a defense strategy. They use complex tactics like RaaS, double and triple extortion, and software vulnerabilities to maximize impact.

Preventing ransomware attacks requires a multi-layered approach, MFA, regular backups, and comprehensive cybersecurity training. Stay informed about the latest ransomware threats and implement robust security measures to minimize the risk and be prepared to respond to an attack.

Book a demo today to see how Recorded Future's ransomware mitigation solutions can enhance your cybersecurity posture.

Related