The 7 Most Active Ransomware Groups of 2024

In 2024, the ransomware scene underwent notable changes, with new actors entering the field and seasoned groups refining their methods. This technical article explores the seven most active ransomware groups of the year, focusing on their tactics, techniques, and breaches.

RansomHub emerged as a dominant force in 2024 after its launch in February. As a ransomware-as-a-service (RaaS) platform, it quickly gained traction by attracting affiliates from established groups such as ALPHV and LockBit. It was responsible for around 586 attacks, making it the second most active variant on both disclosed and undisclosed figures.

Written in Golang and C++, RansomHub’s ransomware employs obfuscation techniques using Abstract Syntax Tree (AST) manipulation. Its hybrid encryption scheme combines the x25519 algorithm for key exchange with AES256, ChaCha20, or XChaCha20 for file encryption, making it highly effective against a broad range of targets.

RansomHub’s infection chain starts with spear-phishing voice scams or compromised VPN accounts for initial access. The group uses PsExec for remote command execution and PowerShell scripts for various tasks. Persistence is achieved by establishing local accounts with elevated privileges.

Evasion techniques include using a batch file (disableAV.bat) to terminate antivirus processes and advanced tools like EDR Kill Shifter, which employs the bring your own vulnerable driver (BYOVD) technique.

A breach in 2024 involved Halliburton, a major oil and gas company, disrupting operations across the industry on August 21. Offering affiliates up to 90% of ransom payments, RansomHub’s aggressive profit-sharing model has solidified its position as a key player in the ransomware ecosystem.

Despite facing law enforcement action early in 2024, LockBit 3.0 remained one of the most active ransomware groups. Known for its longevity and adaptability since its inception in 2019, LockBit operates as a RaaS platform.

In 2024, LockBit continued to hold the crown for the most active ransomware variant, claiming responsibility for 10.4% of all undisclosed ransomware attacks over 12 months.

Its ransomware is written in C++, optimizing performance and enabling quick encryption. Using a combination of AES for file encryption and RSA for key encryption, LockBit 3.0 employs intermittent file encryption to evade detection while maintaining speed.

Advanced evasion techniques include API hashing and string encryption, allowing the ransomware to self-spread through SMB shares and exploit vulnerabilities in unpatched systems. LockBit’s commitment to innovation is shown by its rather unique bug bounty program, rewarding researchers who identify vulnerabilities in its ransomware.

In January 2024, LockBit claimed to have breached Subway’s database, allegedly exposing hundreds of gigabytes of data, including financial information such as royalty payments and employee salaries. While Subway investigated the claim, the authenticity of this ransomware attack was not publicly confirmed.

Play ransomware, also known as PlayCrypt, rose to prominence in 2024 with its aggressive tactics and focus on exploiting supply chain vulnerabilities.

Play ransomware, written in C++, uses a hybrid encryption scheme utilizing RSA and AES algorithms to encrypt files. The group’s infection chain often starts by exploiting vulnerabilities in widely used software, including VMware’s ESXi.

Play’s approach involves obtaining initial access through network vulnerabilities or stolen credentials, followed by lateral movement using tools like Cobalt Strike. The ransomware employs double-extortion tactics by exfiltrating data before encryption.

In August 2024, Play ransomware targeted Microchip Technology, a major American semiconductor manufacturer. The cybercrime group added Microchip Technology to its data leak site, claiming responsibility for the attack that had disrupted certain servers and business operations.

Akira, strongly linked to the former Conti ransomware group, emerged as a large threat in 2024. Developed in C++ with assembly optimizations for speed, Akira employs a hybrid encryption scheme using AES for file encryption and RSA for key exchange.

The attack chain sometimes starts with exploiting VPN vulnerabilities, particularly targeting SonicWall VPNs through CVE-2024-40766.

Akira leverages stolen credentials for lateral movement and bypasses multi-factor authentication (MFA) on local accounts. Persistence is achieved through backdoors, enabling long-term access.

By January 2024, Akira ransomware had impacted over 250 organizations in total, showcasing its ability to scale operations effectively and exploit newly discovered vulnerabilities.

Black Basta, believed to be a descendant of the Conti group, established itself as a major player in 2024, targeting high-value industries across various sectors.

Written in C++, its ransomware features a custom XChaCha20 stream cipher for file encryption and employs intermittent encryption to balance speed and detection evasion. Advanced techniques like API obfuscation and anti-debugging measures further enhance its general effectiveness.

The group’s operations often begin with phishing campaigns or exploiting known vulnerabilities, followed by lateral movement using tools like Cobalt Strike. Black Basta employs clever data exfiltration methods, categorizing and prioritizing sensitive information.

A notable attack in August 2024 targeted Keytronic, an electronics manufacturing firm, causing $17 million in losses and disrupting operations in the U.S. and Mexico. Black Basta’s collaboration with the FIN7 threat group shows the complexity of its operations.

Medusa ransomware gained notoriety in 2024 for its high-volume attacks and substantial ransom demands. Operating under a RaaS model, Medusa combines AES for file encryption with RSA for key exchange and uses advanced obfuscation techniques to evade static analysis.

Medusa’s infection chain begins with phishing campaigns or exploiting unpatched vulnerabilities, followed by lateral movement using living-off-the-land (LotL) techniques. The group prioritizes data categorization and exfiltration before encryption.

In September 2024, Medusa ransomware group successfully attacked Summit Pathology Laboratory in Colorado, compromising the sensitive information of over 1.8 million patients. This incident is considered one of the largest data breaches in the history of pathology labs in the United States.

Hunters International, commonly referred to as Hunters, emerged as a formidable ransomware group in late 2023, focusing on data theft rather than encryption. Their ransomware, written primarily in Rust, uses a hybrid encryption scheme utilizing AES and RSA ciphers.

It embeds encryption keys within the encrypted files, making decryption particularly challenging for security professionals. The group’s optimised operations, featuring reduced command-line options and optimized key management, improve the ransomware’s overall efficiency.

The group’s operations typically start with exploiting software vulnerabilities or using stolen credentials for initial access. Hunters International emphasizes data discovery and exfiltration, often focusing on high-value information.

In December 2024, the group targeted Telecom Namibia, compromising sensitive customer data, including information about government officials. This breach affected nearly 500,000 pieces of personal and financial data, showing Hunters International’s ability to target important infrastructure.

Protect your network with BlackFog’s cutting-edge ADX technology and protect your data with confidence. Our innovative anti data exfiltration solution provides automated 24/7 defense against ransomware, preventing data breaches before they occur.

Act now – deploy BlackFog to ensure your organization’s sensitive information stays protected. Sign up for a ransomware assessment today.

Discover more about how BlackFog protects enterprises from ransomware threats.