In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023.
After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incidents (33% of the year’s total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95 in 2024.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
New Ransomware Groups to Watch
In 2023 there were just 27 new groups. 2024 saw a dramatic rise with 46 new groups detected. As the year went on the number of groups accelerated with Q4 2024 having 48 groups active.
Of the 46 new ransomware groups in 2024, RansomHub became dominant, exceeding LockBit’s activity. At Cyberint, now a Check Point Company, the research team is constantly researching the latest ransomware groups and analyzing them for potential impact. This blog will look at 3 new players, the aforementioned RansomHub, Fog and Lynx and examine their impact in 2024 and delve into their origins and TTPs.
To learn about other new players download the 2024 Ransomware Report here.
Ransomhub
RansomHub has emerged as the leading ransomware group in 2024, claiming 531 attacks on its Data Leak Site since commencing operations in Feb 2024. Following the FBI’s disruption of ALPHV, RansomHub is perceived as its ‘spiritual successor,’ potentially involving former affiliates.
Operating as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, and RansomHub enforces strict adherence to affiliate agreements, with non-compliance resulting in bans and termination of partnerships. It offers a 90/10 ransom split, Affiliates/Core Group.
While claiming a global hacker community, RansomHub avoids targeting CIS nations, Cuba, North Korea, China, and non-profits, exhibiting characteristics of a traditional Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with other Russian ransomware groups in targeted companies further highlight their likely connections to Russia’s cybercrime ecosystem.
Cyberint’s August 2024 findings indicate a low payment rate: only 11.2% of victims paid (20 of 190), with negotiations often reducing demands. RansomHub prioritizes attack volume over payment rates, leveraging affiliate expansion to ensure profitability, with the goal of generating substantial revenue over time despite low individual payment success.
Malware, Toolset & TTPS
RansomHub’s ransomware, developed in Golang and C++, targets Windows, Linux, and ESXi, distinguished by its fast encryption. Similarities to GhostSec’s ransomware suggest a trend.
RansomHub guarantees free decryption if affiliates fail to provide it post-payment or target prohibited organizations. Their ransomware encrypts data before exfiltration. Potential ties to ALPHV are suggested by attack patterns, indicating similar tools and TTPs could be used.
Sophos research highlights parallels with Knight Ransomware, including Go-language payloads obfuscated with GoObfuscate and identical command-line menus.
Fog Ransomware
Fog ransomware appeared in early April 2024, targeting U.S. educational networks by exploiting stolen VPN credentials. They use a double-extortion strategy, publishing data on a TOR-based leak site if victims don’t pay.
In 2024, they attacked 87 organizations globally. An Arctic Wolf report from November 2024 showed Fog initiated at least 30 intrusions, all via compromised SonicWall VPN accounts. Notably, 75% of these intrusions were linked to Akira, with the rest attributed to Fog, suggesting shared infrastructure and collaboration.
Fog primarily targets education, business services, travel, and manufacturing, with a focus on the U.S. Interestingly, Fog is one of the few ransomware groups that prioritize the education sector as their primary target.
Fog ransomware has demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours. Its attacks follow a typical ransomware kill chain, encompassing network enumeration, lateral movement, encryption, and data exfiltration. Versions of the ransomware exist for both Windows and Linux platforms.
IOCs
Type
Value
Last Observation Date
IPv4-Addr
107.161.50.26
Nov 28, 2024
SHA-1
507b26054319ff31f275ba44ddc9d2b5037bd295
Nov 28, 2024
SHA-1
e1fb7d15408988df39a80b8939972f7843f0e785
Nov 28, 2024
SHA-1
83f00af43df650fda2c5b4a04a7b31790a8ad4cf
Nov 28, 2024
SHA-1
44a76b9546427627a8d88a650c1bed3f1cc0278c
Nov 28, 2024
SHA-1
eeafa71946e81d8fe5ebf6be53e83a84dcca50ba
Nov 28, 2024
SHA-1
763499b37aacd317e7d2f512872f9ed719aacae1
Nov 28, 2024
SHA-1
3477a173e2c1005a81d042802ab0f22cc12a4d55
Feb 02, 2025
SHA-1
90be89524b72f330e49017a11e7b8a257f975e9a
Nov 28, 2024
Domain-Name
gfs302n515.userstorage.mega.co.nz
Nov 28, 2024
SHA-256
e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3
Aug 20, 2024
Lynx
Lynx is a double-extortion ransomware group that has been very active lately, displaying many victimized companies on their website. They state that they avoid targeting government organizations, hospitals, non-profit groups, and other essential social sectors.
Once they gain access to a system, Lynx encrypts files, appending the “.LYNX” extension. They then place a ransom note named “README.txt” in multiple directories. In 2024 alone, Lynx claimed more than 70 victims, demonstrating their continued activity and significant presence in the ransomware landscape.
IOCs
Type
Value
Last Observation Date
MD5
e488d51793fec752a64b0834defb9d1d
Sep 08, 2024
Domain-Name
lynxback.pro
Sep 08, 2024
Domain-Name
lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion
Sep 08, 2024
Domain-Name
lynxblog.net
Sep 08, 2024
IPv4-Addr
185.68.93.122
Sep 08, 2024
IPv4-Addr
185.68.93.233
Sep 08, 2024
MD5
7e851829ee37bc0cf65a268d1d1baa7a
Feb 17, 2025
What’s to Come in 2025?
Due to the crackdown on ransomware groups, the most new groups on record have appeared, seeking to make a name for themselves. In 2025, Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players, not just RansomHub.
Read Cyberint, now a Check Point Company’s 2024 Ransomware Report for the top targeted industries and countries, a breakdown of the top 3 ransomware groups, ransomware families worth noting, newcomers to the industry, arrests and news, and 2025 forecasts.
Read the 2024 Ransomware Report to Gain Detailed Insights and More.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Vo1d Botnet’s Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries