Top 10 ransomware groups to watch

The ransomware landscape has seen a lot of fragmentation over the past couple of years with major groups shutting down after they became the target of law enforcement actions or after they attracted too much attention and had ransoms put on their leaders’ identities.

Ransomware-as-a-service (RaaS) operations are heavily reliant on third-party hackers, known as affiliates, to break into victim networks, steal data and deploy their file encryption programs. These affiliates earn a large percentage from the ransoms paid by victims, so there’s constant competition between different ransomware operations to entice affiliates with better commission deals or the promise of better operational security.

It’s also not uncommon for large groups to splinter off into smaller ones due to internal fights between administrators or for groups to shut down and rebrand when they get too much heat. This means the ransomware ecosystem is in a constant state of change, with new groups emerging, rising to the top and then shutting down for various reasons.

Here are 10 of the most active or sophisticated ransomware groups that have been active in 2024, and organizations should watch out for.

LockBit 3.0

LockBit first appeared onto the scene in 2019 and was briefly called ABCD by security researchers —because the early variants left encrypted files with the .abcd extension — but started really taking off during the second half of 2021 with the release of LockBit 2.0. This was followed in 2022 by LockBit 3.0, a big revamp of its affiliate program and aggressive tactics that quickly propelled it to the top of the rankings where it dominated for much of 2022 and 2023. LockBit’s rise was also fueled along the way by the downfall of other major groups including Ryuk, REvil, Maze and Conti, whose affiliates it managed to attract with competitive deals.

In February 2024, law enforcement agencies from 10 countries including Australia, the UK and the US managed to disrupt the LockBit operations by seizing its websites and servers. The information obtained from that effort, dubbed Operation Cronos, led to the identification of several LockBit affiliates, as well as the user named LockBitSupp, who is believed to be the creator and administrator of the notorious ransomware service. The US State Department put up a $10-million reward for information leading to the arrest of LockBitSupp, whom they identified as Dimitry Yuryevich Khoroshev, a 31-year-old Russian national from the city of Voronezh.

The law enforcement action dealt a serious blow to the LockBit operation, not only because of the disruption caused by the seized infrastructure and decryption keys, but because it compromised collaborators’ trust in its operational security. After attracting affiliates from other groups over the past several years, it was now LockBit’s turn to lose them. By April, the group had already lost its no. 1 position in favor of a ransomware operation called Play and the number of new victims it posted on its data leak site dropped considerably.

That said, according to an analysis by researchers from Palo Alto Networks of data leak postings by ransomware groups, LockBit remains number one for the first six months of 2024 with over twice as many victims than Play. According to ransomware statistics by NCC Group, LockBit is also still very active, taking second place in July after RansomHub, another group where many LockBit affiliates migrated to.

Even though the number of monthly LockBit attacks are way lower than they used to be before the law enforcement takedown, the operation remains active and still has highly experienced and capable members.

Play ransomware

Play, also known as Playcrypt, is a ransomware operation that has been around since 2022 and, like LockBit, has benefited from the demise of larger groups like Conti and BlackCat (ALPHV), which shut down its operations in March.

The group engages in double extortion, like most modern ransomware operations, by both encrypting data on systems and stealing it to then extort companies under the threat of releasing it publicly. Play’s file encryptor program performs intermittent encryption, meaning it only encrypts specific-sized chunks of data within files instead of their entire content. This makes the encryption operation much faster and harder to detect but has the same result of leaving files unusable. The program attaches the extension .play to the impacted files. It’s worth noting that the group also has a Linux file encryption program which is used to encrypt virtual machines in their victims’ VMWare ESXi environments.

Play’s affiliates are known to exploit known vulnerabilities in public-facing systems such as Microsoft Exchange servers or Fortinet FortiOS appliances to break into networks, as well as using compromised RDP credentials. From there they use a variety of third-party tools to perform reconnaissance and lateral movement and to achieve persistence, including Cobalt Strike, Mimikatz, Grixba, AlphaVSS, IOBit, AdFind, BloodHound, GMER, Plink, Process Hacker and more.

According to the Palo Alto Networks’ analysis, Play had the second highest number of victims (155) published on its data leak site during the first six months of the year and in July it ranked no. 5 in NCC’s stats with 20 attacks. Security firm Zscaler also ranked it no. 5 in its annual ransomware report that covers the period of April 2023 through to April 2024, with a total of 345 victims. By comparison, LockBit claimed 988 victims over the same period.

8Base

The third spot in ransomware rankings during the first half of this year has been occupied by 8Base, a double-extortion ransomware group that also started operations in 2022, but saw a big spike in activity in 2023.

8Base is a bit of a weird group because it displayed similarities to other data extortion gangs such as RansomHouse, prompting speculation that they might be related. The group doesn’t have its own dedicated ransomware program either and instead deploys a customized variant of Phobos, another RaaS file encryptor.

8Base primarily uses phishing scams with malicious links for initial access and, as most ransomware groups, relies on a variety or system utilities, third-party hacking tools and malicious programs: Mimikatz, LaZagne, PasswordFox, KILLAV, SmokeLoader, SystemBC, PCHunter, GMER, Process Hacker and more. The custom Phobos file encryptor used by the group appends the .8base extension to encrypted files.

8Base has managed to compromise organizations from many industries, including manufacturing, finance, legal services, construction, healthcare, but a large number of its victims are small businesses with under 200 employees.

Akira

Akira is a group that first appeared in April 2023 and was thought to be an offshoot of the defunct Conti group because its file encryptor shared many code similarities with Conti’s ransomware program. However, the code of Conti’s file encryptor was leaked so this is not necessarily a strong link, but a blockchain analysis also uncovered potential links to the Conti operation.

The new Akira group shouldn’t be confused with an older ransomware group of the same name that was active in 2017 and is likely unrelated, even though both groups used the .akira file extension for encrypted files. In the second half of 2023, Akira moved away from its C++ file encryptor to a Rust-based one it dubbed Megazord and which uses the .powerranges file encryption. The group also uses a Linux file encryptor for ESXi hosts.

Akira gains initial access by using stolen VPN and RDP credentials, by exploiting vulnerabilities in Cisco security appliances and through phishing. Once inside a network its affiliates will use various techniques and tools for credential scraping, lateral movement and persistence. Some of these include: Kerberoasting, Mimikatz, LaZagne, SoftPerfect, Advanced IP Scanner, FileZilla, WinRAR, WinSCP, RClone, AnyDesk, MobaXterm, RustDesk, Ngrok and Cloudflare Tunnel.

Based on Palo Alto Networks’ analysis of data leak sites, Akira posted 119 victims on its data leak site during the first half of this year and NCC’s attack telemetry puts it in third place for July behind RansomHub and LockBit.

Black Basta

Another suspected Conti offshoot, Black Basta is a ransomware group that first appeared in April 2022 and is believed to have targeted over 500 organizations to date, with 114 victims listed on its site this year.

This is even more impressive, considering that unlike other groups, Black Basta is very selective about its targets and does not adopt spray-and-pray tactics. The group uses spear-phishing, buys access into networks from other access brokers and even recruits company insiders for information.

One technique used by the group was to flood targets with spam emails then call them posing as IT support engineers with the goal of convincing them to install remote access tools like AnyDesk or Windows Quick Assist. The group relies on the QakBot and Pikabot for initial access, but both of those botnets have been the target of law enforcement operations. Other techniques have involved exploiting vulnerabilities such as CVE-2024-26169 in Microsoft Windows Reporting Service, CVE-2024-1709 in ConnectWise, ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287) and PrintNightmare (CVE-2021-34527).

Black Basta is believed to have former Conti and REvil members amongst its operators and affiliates and has cybercriminals with a lot of experience and sophisticated skill sets.

BlackByte

Similar to Black Basta, BlackByte is another sophisticated Conti offshoot. While this group does not stand out through the high number of publicly known victims, recent research by Cisco Talos suggests that the group is much more active than previously believed and that only between 20% to 30% of its successful compromises are listed on its data leak site.

RansomHub

RansomHub is a new RaaS operation that emerged in February 2024 but quickly rose through the ranks. NCC lists it as the top ransomware group by the number of attacks observed in July. According to a CISA and FBI advisory from 29 August, the group has made over 210 victims so far.

Using a customized variant of the older Knight (Cyclops) ransomware, RansomHub has managed to quickly attract new affiliates to its program by offering a very attractive 90% commission from paid ransom payments and the possibility for affiliates to negotiate with victims directly.

The group is opportunistic in its attacks and has relied on the SocGolish malware for initial access. This malware program is delivered through search engine optimization (SEO) poisoning. However, some of its affiliates are known to have a lot of experience. For example, a former BlackCat affiliate who was responsible for the compromise of UnitedHealth Group subsidiary Change Healthcare switched over to RansomHub after the BlackCat operators ran away with the $22 million ransom payment and shut down the operation.

RansomHub affiliates are also known to exploit known vulnerabilities for initial access, such as Citrix ADC (NetScaler) remote code execution (CVE-2023-3519), Fortinet FortiOS buffer overflow (CVE-2023-279970, Apache ActiveMQ remote code execution (CVE-2023-46604), Confluence Data Center and server authentication bypass (CVE-2023-22515) and others. Tools used by the group include Mimikatz, Remote Desktop Protocol (RDP), PsExec, Anydesk, Connectwise, N-Able, Cobalt Strike, Metasploit, Nmap, RClone, AngryIPScanner, WinSCP and PowerShell.

Hunters International

Hunters International is a ransomware group that first appeared in October 2023. Researchers were quick to spot many code similarities in its file encryptor to the one previously used by Hive, one of the top ransomware groups that operated between 2021 and January 2023 when the FBI dismantled its operations following a seven-month covert operation.

Hunters International claimed that the similarity in code is because they acquired the old Hive source code and infrastructure and improved on it, but some security researchers still view the group as a potential rebranding of Hive.

According to the Zscaler’s report, Hunters International posted 97 victims until April, but the group’s activity has only increased since then. NCC’s telemetry for July places the group in fourth place by number of observed attacks.

Hunters International’s file encryptor is written in the Rust programming language, but the group has also been seen deploying a remote access trojan dubbed SharpRhino in recent attacks.

Medusa

Medusa is a RaaS operation that started in late 2022 and gained prominence in 2023. The group is different from MedusaLocker, another RaaS operation that has been around since 2021.

Medusa affiliates exploit known vulnerabilities in public-facing systems for initial access but also acquire access from access brokers. They use living-of-the-land tactics by relying on system utilities to expand their access and move laterally through networks. Its file encryptor uses RSA encryption and adds the extension .medusa to encrypted files.

According to the Palo Alto Networks’ analysis of data leaks sites, Medusa compromised 103 organizations during the first half of 2024.

DragonForce

DragonForce is another newcomer to the ransomware space that made a name for itself in 2024 and is quickly rising through the ranks. The group is known for unusual extortion tactics such as calling the victims and then publishing the recordings online.

The group uses a ransomware program that is based on LockBit because the builder for LockBit 3.0 was leaked on underground forums. However, researchers don’t believe there is any connection between these two groups, other than opportunistic use of the leaked builder — the program used to configure and generate a customized LockBit executable.

DragonForce attackers use phishing, as well as compromised RDP and VPN credentials for initial access into networks.