Ransomware Groups in 2024
Ransomware Groups in 2024
It’s critical to keep a finger on the pulse of ransomware activity. After all, it remains one of the most successfully deployed cyber attack methods, with an ever-evolving arsenal of tactics that continue challenging companies in disparate industries. So, what’s been going on in 2024? Here’s a run-through of the main ransomware groups and their activities this year.
The Overall Ransomware Threat Landscape
One report found that 59% of organizations were hit by a ransomware attack within the last year. This stat alone serves as ample proof that ransomware remains a threat for security leaders and teams to defend against (even though the overall stat represents a 7% decline from the previous year.)
The most prolific ransomware gangs tend to change frequently each year. The dynamism that characterizes this shifting cast of threat actors and ransomware gangs stems not only from their adaptive strategies but also from external pressures, such as law enforcement crackdowns and rivalries within the cybercriminal landscape. These pressures frequently lead to groups disbanding or rebranding. Four members of the previously prolific group REvil were sentenced to four years in prison in October 2024.
Top Ransomware Gangs 2024
The following gangs are the most active in 2024—here’s a look at them and what tactics they’re using:
Lockbit 3.0
Lockbit has persisted with surprising longevity in the ransomware world. Having first emerged in 2019, the operation has evolved to resemble an organized, almost corporate structure that’s designed to keep it operational and adaptable. It’s a fully fledged ransomware as a service (RaaS) group now enabling multiple affiliates to use the group’s infrastructure and ransomware strain.
The popularity of this operation has naturally attracted attention, though. A law enforcement sting in early 2024 brought the group to its knees, but it has since recovered. An interesting development in tactics is the use of custom self-propagating malware that can disable specific system processes and delete event logs to evade discovery. The most high-profile incident from 2024 was when Lockbit claimed to have hacked the U.S. Federal Reserve, but it turned out that the actual victim was Evolve Bank & Trust based in Arkansas.
Akira
Akira first surfaced in early 2023 and it quickly gained notoriety for its streamlined attack methods and targeting of companies in a wide range of industries, including finance, real estate, and manufacturing. The group, which is now a RaaS operation, deploys a highly personalized negotiation strategy, and affiliates claim to offer “affordable” payment options to victims while making negotiations appear less adversarial to maximize the chances of payment.
Akira’s tactics have been somewhat shape-shifting. A switch in early 2024 towards pure extortion without ransomware installation has now been reversed, with a pivot back to double extortion (encryption and data theft). In terms of more specific tactics, a deep dive shows the gang and its affiliates commonly targeting compromised VPN credentials for initial access. One high-profile attack saw an Akira affiliate hit a Latin American airline—the threat actor exploited vulnerabilities in a Veeam backup server and managed to go from initial access to exfiltration in just 2 hours.
Play
Emerging in June 2022, Play established a name for itself with a distinctive "intermittent encryption" technique that allows it to encrypt files faster than most ransomware strains. The group targets both government institutions and private sectors.
Aside from the interesting encryption method that speeds up ransomware attacks, the group uses tactics like phishing and compromising valid user accounts for initial access. The gang also tries to exploit unpatched vulnerabilities in public-facing assets, such as next generation firewalls and VPNs. In August 2024, the gang hit American semiconductor manufacturer Microchip Technology.
BlackCat
Also known as ALPHV, this Russian-speaking RaaS operation emerged in late 2021. The strain was the first written in the Rust programming language, which improves efficiency and makes detection more challenging. A surge of high-profile attacks led to several successful takedowns of affiliated operators that disrupted some of BlackCat’s infrastructure.
A severe attack by a BlackCat affiliate on Change Healthcare in early 2024 led to disruptions at pharmacies across the United States. The company forked up a huge $22 million ransom payment, but the drama didn’t end there. The threat actors who run this RaaS operation didn’t pay the affiliate the promised commission. Instead, the BlackCat dark web leak site went offline in what appears to be an exit scam.
Speculation now abounds that the new operation, Cicada3301, is a rebrand of BlackCat because the functionality and compilation of the code is similar. Cicada3301 gains initial access by exploiting Remote Desktop Protocol (RDP) accounts using stolen credentials or easily crackable passwords.
Fortifying Defenses
While the list of top ransomware groups changes each year as new players emerge and older ones are disrupted or rebranded, the fundamentals of defense against ransomware remain largely consistent. You can fortify defenses by:
Backing up data regularly and having an offline backup option.
Having a strict patch management routine keeps systems updated, especially public-facing assets.
Segmenting your network to restrict the lateral movement of ransomware actors and strains across systems.
Switching on multi-factor authentication for user accounts, ideally in an adaptive way that doesn’t cause too much user friction.
Having a modern EDR solution that uses behavior-based detection, which can monitor and alert on suspicious process actions, such as attempts to disable security software or turn off system processes.
Constraining PowerShell to allow only run approved scripts. Also, use module logging and transcription to capture command-line activity.
Using a cyber range to simulate ransomware attacks and test your team’s response capabilities. These simulations allow incident response teams to experience real-world tactics employed by ransomware groups, adapt defenses, and improve incident response procedures.
Cloud Range provides immersive live-fire simulated cyber attacks for your team to practice in a virtual cyber range as a service. You can use attack simulations that reflect the latest tactics ransomware gangs use. And you can even customize the environment to replicate your network setup for more realistic exercises to strengthen resilience against ransomware gangs.
