In 2024, global ransomware attacks surged to 5,414, marking an 11% increase from the previous year. The year began slowly but saw a spike in attacks during Q2 and a significant surge in Q4, with 1,827 incidents, accounting for 33% of the total attacks. This uptick in ransomware activity was partially attributed to law enforcement actions against major groups like LockBit, which led to increased competition and the emergence of smaller gangs. The number of active ransomware groups also saw a notable increase, jumping by 40%, from 68 in 2023 to 95 in 2024.
The rise of new ransomware groups was particularly prominent in 2024, with 46 new groups detected compared to just 27 in the previous year. By the end of the year, Q4 alone had 48 active groups. Among these new players, RansomHub emerged as a dominant force, surpassing LockBit in activity. Cyberint, now a Check Point Company, has been actively researching these new ransomware groups and assessing their potential impact. In this article, we will focus on three such groups – RansomHub, Fog, and Lynx – and delve into their activities, origins, and tactics.
RansomHub, a leading ransomware group in 2024, conducted 531 attacks on its Data Leak Site since its inception in February 2024. Following the disruption of ALPHV by the FBI, RansomHub emerged as a potential successor, possibly involving former affiliates from the previous group. Operating as a Ransomware-as-a-Service (RaaS), RansomHub strictly enforces affiliate agreements and offers a 90/10 ransom split to its affiliates. Interestingly, the group avoids targeting certain nations and non-profit organizations, displaying characteristics of a traditional Russian ransomware setup. Despite a low payment rate of around 11.2%, RansomHub prioritizes attack volume to ensure profitability over time.
Fog ransomware, another notable group, made its appearance in April 2024, targeting U.S. educational networks through compromised VPN credentials. Employing a double-extortion strategy, Fog published data on a TOR-based leak site if victims refused to pay. In 2024, they targeted 87 organizations globally, with a significant focus on the education sector. Fog’s attacks showcased rapid speed, with the shortest time from initial access to encryption being just two hours. The group’s tactics encompassed network enumeration, lateral movement, encryption, and data exfiltration.
Lynx, a double-extortion ransomware group, emerged as an active threat in 2024, listing numerous victimized companies on their website. They refrain from targeting government organizations, hospitals, non-profits, and other essential sectors. Lynx encrypts files with the “.LYNX” extension and places ransom notes in multiple directories. In 2024 alone, Lynx claimed over 70 victims, demonstrating their continued presence in the ransomware landscape.
Looking ahead to 2025, with increased scrutiny on ransomware groups, newer players are seeking to establish themselves in the evolving landscape. Cyberint predicts that several of these emerging groups, including RansomHub, will enhance their capabilities and emerge as significant players in the ransomware arena. The 2024 Ransomware Report from Cyberint, now a Check Point Company, offers detailed insights into the top targeted industries and countries, the top ransomware groups, notable ransomware families, industry newcomers, arrests, news, and forecasts for 2025.
Overall, as ransomware attacks continue to evolve and proliferate, it is crucial for organizations and cybersecurity experts to stay vigilant, adapt to changing threat landscapes, and collaborate to combat the growing menace of ransomware.