While the beginning of the year showed slow ransomware activity, incidents saw a significant increase during Q2 and Q4. In fact, Q4 alone accounted for 33% of the total attacks for the year, with a staggering 1,827 incidents. Law enforcement crackdowns on large groups like LockBit caused fragmentation within the ransomware landscape. This led to heightened competition and the emergence of smaller, more agile gangs. As a result, the number of active ransomware groups surged by 40%, from 68 in 2023 to 95 in 2024.
Emerging Ransomware Groups to Keep an Eye On
The year 2023 saw just 27 new ransomware groups. However, in 2024, this number drastically increased, with 46 new groups detected. The frequency of new groups forming escalated as the year progressed, with 48 active groups in Q4 of 2024.
Among the new groups, RansomHub stood out as a dominant force, surpassing even LockBit in terms of activity. Cyberint, a Check Point Company, continuously conducts research on emerging ransomware groups, analyzing their impact. This blog will focus on three noteworthy newcomers: RansomHub, Fog, and Lynx, and examine their influence in 2024, as well as delve into their origins and tactics.
For more details on other new groups, you can download the 2024 Ransomware Report here.
RansomHub: A New Ransomware Giant
RansomHub has risen to prominence as one of the leading ransomware groups in 2024, claiming responsibility for 531 attacks on its data leak site since it began operations in February 2024. Following the FBI’s disruption of ALPHV, RansomHub is often referred to as its “spiritual successor,” possibly consisting of former affiliates from ALPHV.
Operating as a Ransomware-as-a-Service (RaaS), RansomHub maintains strict affiliate agreements. Violations of these agreements result in penalties, including the termination of partnerships. The group operates with a 90/10 ransom split, allocating 90% of the ransom to affiliates and 10% to the core group.
Despite claiming a global hacker community, RansomHub avoids targeting countries like Russia, North Korea, China, and Cuba, as well as non-profit organizations. This behavior suggests they may be linked to traditional Russian ransomware operations. Their avoidance of Russian-aligned countries and overlap with other Russian ransomware groups in their attack targets point to possible connections with Russia’s cybercriminal ecosystem.
Cyberint’s research from August 2024 revealed a low victim payment rate of only 11.2% (20 out of 190 victims). However, RansomHub focuses on the volume of attacks rather than high payment success, using affiliate expansion to maintain profitability and generate long-term revenue.
RansomHub’s Malware, Toolset, and Techniques
RansomHub’s malware is developed using Golang and C++, targeting Windows, Linux, and ESXi systems. The ransomware is known for its fast encryption capabilities. Research suggests that RansomHub’s techniques bear similarities to those used by GhostSec, indicating a shared methodology.
One of RansomHub’s promises to affiliates is that if they fail to decrypt data after payment or if they attack prohibited organizations, RansomHub will offer free decryption. The group encrypts data before exfiltrating it. Additionally, attack patterns show that RansomHub may be using tools similar to ALPHV, further suggesting a possible link between the two groups.
Sophos research also found similarities between RansomHub and Knight Ransomware, especially in the use of Go-language payloads obfuscated with GoObfuscate, and identical command-line menus.
Fog Ransomware: Targeting U.S. Educational Institutions
Fog ransomware made its debut in early April 2024, initially targeting U.S. educational networks by exploiting stolen VPN credentials. The group uses a double-extortion strategy, threatening to publish stolen data on a TOR-based leak site if victims refuse to pay.
In 2024, Fog attacked 87 organizations globally. An Arctic Wolf report from November 2024 revealed that Fog initiated at least 30 intrusions, with most attacks attributed to Akira and the remainder to Fog itself. This suggests a shared infrastructure and collaboration between these two groups.
Fog primarily targets sectors like education, business services, travel, and manufacturing, with a particular focus on the U.S. The group is one of the few ransomware operations that has consistently targeted educational institutions.
Fog ransomware has shown remarkable speed, with some incidents reporting the time from initial access to encryption as short as two hours. Their attack cycle follows a traditional ransomware kill chain: network enumeration, lateral movement, encryption, and data exfiltration. The malware is available for both Windows and Linux systems.
Lynx: A Notable Double-Extortion Threat
Lynx is a double-extortion ransomware group that has been increasingly active, showcasing numerous victims on its leak site. The group claims to avoid targeting government organizations, hospitals, non-profits, and other critical sectors.
After gaining access to a system, Lynx encrypts the files and adds the “.LYNX” extension to them. It then places a ransom note named “README.txt” in several directories. In 2024 alone, Lynx claimed more than 70 victims, reinforcing its growing presence and influence within the ransomware ecosystem.
What to Expect in 2025
In response to law enforcement’s crackdown on ransomware groups, an unprecedented number of new groups have emerged in 2024, all vying for attention in a crowded market. As we move into 2025, Cyberint predicts that several of these newer groups will expand their capabilities and emerge as dominant forces, possibly surpassing even RansomHub in terms of influence.
For in-depth insights into targeted industries, top ransomware groups, and forecasts for 2025, download the 2024 Ransomware Report from Cyberint, now a Check Point Company.
