In 2024, global ransomware attacks reached 5,414, an 11% increase from 2023.
After the start and start, the attacks spiked in the second quarter and surged in the fourth quarter, with 1,827 incidents (33% of the year’s total). Law enforcement actions against major groups like Lockbit have caused fragmentation, leading to more competition and an increase in small gangs. The number of active ransomware groups increased by 40% from 68 in 2023 to 95 in 2024.
New ransomware groups to watch
In 2023 there were only 27 new groups. In 2024, there was a dramatic rise in 46 new groups detected. The number of groups accelerated in Q4 2024, where 48 groups become active over the years.
Of the 46 new ransomware groups in 2024, Ransomhub has become dominated and surpassed Lockbit’s activities. At Cyberint, a checkpointing company, the research team constantly investigates the latest ransomware groups and analyzes potential impacts. In this blog, we look into the three new players mentioned above, Ransom Hub, Fog and Lynx, to explore the impact of 2024, and explore the origins and TTP.
To learn more about other new players, download the 2024 Ransomware Report here.
Ransom Hub
Ransomhub appeared as a ransomware group in 2024 and has claimed 531 attacks on data leak sites since it began operations in February 2024. Following the confusion of the FBI’s ALPHV, Ransombe is recognized as a “spiritual successor” that could involve previous affiliates.
Operated as a Ransomware-a-Service (RAAS), Ransomhub will implement strict affiliate agreements, and Ransomhub will implement strict compliance with affiliate agreements, banning compliance and ending the partnership. Provides ransom splits and affiliate/core groups for 90/10.
While advocating for the global hacker community, Ransomhub avoids targeting CIS countries, Cuba, North Korea, China and nonprofits, and demonstrates the characteristics of traditional Russian ransomware setups. They avoid countries that belong to Russia and overlap with other Russian ransomware groups from the target company.
Cyberint’s August 2024 survey shows a low payment rate. Only 11.2% of victims are paid (20 out of 190), and negotiations often reduce demand. Ransomhub prioritizes attack volume over payment rates, leveraging expanding affiliate marketing to ensure profitability and aims to generate substantial revenue despite low individual payment success.
Malware, Toolsets & TTPS
Ransomhub’s ransomware developed in Golang and C++ targets Windows, Linux, and ESXi, distinguished by fast encryption. The similarity with GhostSec ransomware suggests a trend.
Ransomhub guarantees free decryption if the affiliate can’t provide an organization that has banned it after paying it or targeting it. Their ransomware encrypts data before it is stripped. The potential link to ALPHV is suggested by the attack pattern, indicating that similar tools and TTP can be used.
Sophos Research highlights similarities with Knight Ransomware, including Go-Language Payload, obfuscated with the same command line menu as Goobfuscate.
Fog ransomware
FOG ransomware came out in early April 2024 and targeted the US education network by leveraging stolen VPN credentials. They use a double extension strategy that publishes data to TOR-based leaked sites if the victim does not pay.
In 2024, they attacked 87 organizations around the world. The Arctic Owlf report from November 2024 showed that the fog had started at least 30 invasions. In particular, 75% of these invasions are linked to Akira, with the rest being attributed to fog, suggesting shared infrastructure and collaboration.
FOG is primarily aimed at education, business services, travel and manufacturing. Interestingly, FOG is one of the few ransomware groups that prioritize the education sector as its primary goal.
Fog ransomware demonstrates incredible speeds, with the least amount of time from initial access to encryption in just 2 hours. The attack follows a typical ransomware kill chain and covers network enumeration, lateral movement, encryption, and data stripping. Ransomware versions exist on both Windows and Linux platforms.
IOCS
Last Observation Date of Type Value IPv4-ADDR 107.161.50.26 November 28, 2024 SHA-1 507B26054319FF31F275BA44DDC9D2B5037BD295 November 28, 2024 SHA-1 83F00AF43DF650FDA2C5B4A04A7B31790A8AD4CF November 28, 2024 SHA-1 44A76B95464427627A8D88A650C1BED3F1CC0278C NOV 28, 2024 Sha-1 EAFA71946E81D8FE5EBF6BE53E83A84DCCA50BA November 28, 2024 SHA-1 763499B37AACD317E7D2FF512872F9ED719AACAE1 2024 SHA-1 3477A173E2C1005A81D042802AB0F2222C12A4D55 FEB 02, 2025 SHA-1 90BE89524B72F330E49017A11E7B8A257F975E9A NOV 28, 2024 DomaMAMAME-NAME GFS302N515.MEGESTORAGE 28, 2024 SHA-256 E67260804526323484F564EEBEB6C99ED021B960B899FF788AED85BB7A9D75C3 August 20, 2024
Links
Lynx is a double extest ransomware group that has been very active recently and displays many affected businesses on its website. They say they are trying not to target government organizations, hospitals, nonprofits and other important social sectors.
When you access the system, Lynx encrypts the file and adds the “.lynx” extension. Next, place a ransom note named “readme.txt” in multiple directories. In 2024 alone, Lynx claimed more than 70 casualties, indicating their continued activity and significant presence in the ransomware landscape.
IOCS
Last observation date for type value MD5 E488D51793FEC752A64B0834DEFB9D1D SEP 08, 2024 DOMAIN-NAME LYNXBACK.PRO SEP 08, 2024 Domain-Name lynxblllrfr5262yvbgtqoyq76s7mpztckkkv6tjjxgpilpma7nyoeohydr.onion Sep 08, 2024 Domain-Name Lynxblog.net Sep 08, 2024 IPv4-Addr 185.68.93.122 SEP 08, 2024 IPV4-ADDD 185.68.93.233 Sep 08, 2024 MD5 7E851829EE37BC0CF65A268D1D1BAA7A February 17, 2025
What will come in 2025?
With the crackdown on ransomware groups, the newest group on record is appearing, trying to create their own names. In 2025, Cyberint expects some of these new groups to increase their capabilities and emerge as dominant players as well as Ransomhub.
Please read Cyberint. Check out the current checkpoint company’s 2024 ransomware report for a breakdown of top three, top three ransomware groups in the industry and countries, notable ransomware families, industry newcomers, arrests and news, and forecasts for 2025.
Read the 2024 ransomware report for detailed insights and more.
Source link
