January 30, 2025
One of the biggest threats facing organizations from a cyber security perspective is ransomware. In 2024, the ransomware landscape experienced significant shifts, marked by the emergence of new threat actors, high-profile attacks, and evolving tactics. But what remained consistent was the upward trend of those organizations that fell victim to this kind of attack.
In this blog we review the ransomware groups who were most active and the most significant ransomware attacks of 2024.
Most Active Ransomware Groups of 2024
RansomHub
The group RansomHub first appeared in February 2024, with an announcement on the Russian forum RAMP. A user named “koley” made the announcement and invited others to join their affiliate program.
Figure 1: Source: DarkOwl Vision
RansomHub quickly became one of the most active ransomware groups, claiming 593 victims by the end of the year. The group operates a ransomware-as-a-service (RaaS) model, targeting multiple platforms, including Windows, Linux, and ESXi.
RansomHub’s affiliate program has been prolific over taking established groups, such as LockBit, in the number of victims they have. Notably, RansomHub was responsible for a significant breach of the U.S. healthcare payment system in 2024.
LockBit
Despite facing significant disruptions due to Operation Cronos in February 2024, LockBit affiliates managed to execute a substantial number of attacks, maintaining their presence in the ransomware ecosystem. Although access to their site has been spotty, the group have indicated they will launch Lockbit4.0 and asked people to join their affiliate program.
Figure 2: Lockbit Leak site
Play
Active since June 2022, Play intensified its operations in 2024, with 362 claimed victims during the year. The group is known for exploiting vulnerabilities in widely used software, such as Fortinet, Citrix, and VMware’s ESXi, to gain initial access to target systems. This group continued its aggressive operations, doubling its victim count year-over-year and securing its position as one of the top three most active ransomware groups. However, unlike many other groups they do not offer ransomware as a service.
Figure 3: Play Leak site
Akira
Debuting in March 2023, Akira is considered a successor to the Conti ransomware group. In 2024, Akira claimed 291 victims, continuing its aggressive targeting of various organizations. They follow the Ransomware-as-a-Service business model and practice the double-extortion technique. The adversary seems to target almost exclusively companies originating from and operating in the United States. They have also issued a directive to hit US healthcare organizations.
Figure 4: Akira Leak site
Significant Victims of 2024
Change Healthcare Ransomware Attack (February 2024)
Change Healthcare, a subsidiary of UnitedHealth Group and a major processor of U.S. medical claims, suffered a ransomware attack by the BlackCat (ALPHV) group. The breach affected the personal information of over 190 million individuals, including health insurance details, medical records, and personal identifiers. The company paid a $22 million ransom to recover the data. This attack, although not related, preceded the assassination of the company’s CEO. After the initial attack, and an exit scam by BlackCat, the company suffered a second extortion from the RansomHub group.
CDK Global Ransomware Attack (June 2024)
CDK Global, a key software provider for automotive dealerships, experienced a ransomware attack that disrupted operations across thousands of car dealerships in the U.S. and Canada. The company paid a $25 million ransom to the Eastern European and Russian hacker group BlackSuit to restore services.
Blue Yonder (October 2024)
A ransomware attack on Blue Yonder, a major software provider, disrupted operations for several companies, including Starbucks and UK grocery store Sainsbury’s. The attack affected Starbucks’ ability to manage barista schedules and track hours, necessitating manual workarounds. At the end of the year the re-emerging group CL0P also claimed to have hacked the company.
Albyn Housing Society Data Breach (August 2024)
Albyn Housing Society, one of Scotland’s largest housing charities, was hacked by the ransomware gang RansomHub. Personal data of staff and tenants, including payroll and expenses claims, were leaked on the dark web. The attack highlighted the vulnerability of charitable organizations to cyber threats.
Medisecure (May 2024)
An Australian electronic prescription service provider suffered a ransomware attack leading to the theft of personal and health information of approximately 12.9 million individuals. This is the largest breach of data in Australia’s history.
Ransomware Trends in 2024
December 2024 witnessed 574 ransomware attacks, the highest monthly total since monitoring began in 2021, indicating an alarming surge in activity. The year end high of victims forebodes what trends we expect to see in 2025, with the number of victims unlikely to decrease, despite efforts from law enforcement to shut down and arrest members of these groups.
This in part is due to the fact that groups often reemerge after law enforcement action but also because new groups are emerging all the time. The number of active ransomware groups increased by 30% year-over-year, with 31 new groups entering the ecosystem.
In 2024 ransomware actors adopted more sophisticated methods, including the use of artificial intelligence to enhance the precision of attacks, and the emergence of hybrid ransomware combining traditional encryption with data manipulation or destructive malware.
These developments underscore the escalating complexity and frequency of ransomware threats, necessitating robust cybersecurity measures, dark web monitoring and vigilance as we move into 2025.
Stay up to date with DarkOwl reporting. Follow us on LinkedIn.
The post Ransomware Round Up 2024 appeared first on DarkOwl, LLC.