Runners and riders on the rise: Smaller, more agile ransomware groups like Lynx (INC rebrand), RansomHub (a LockBit sub-group), and Akira filled the void after major takedowns, collectively accounting for 54% of observed attacks, according to a study by managed detection and response firm Huntress.RansomHub RaaS has quickly risen in prominence by absorbing displaced operators from LockBit and BlackCat.The rise of double extortion tactics, with data exfiltration now a common occurrence in ransomware incidents, are creating additional pressure on victims to pay even if backups are available.Ransomware cases handled by cybersecurity services firm NCC Group more than doubled last year.The infamous threat group LockBit was the top threat of 2024, accounting for 10% (526) of all attacks despite a slowdown following a takedown operation early last year. RansomHub became the dominant threat actor in the second half of 2024, racking up 501 attacks during last year as a whole, according to NCC’s latest annual report.These trends continued into the new year with NCC’s ransomware cases in January up by 3% from December, with 590 attacks. Akira was the most active ransomware group in January, responsible for 74 attacks. Almost three quarters of total ransomware cases handled by NCC targeted North America and Europe.”There are a range of factors contributing to this high volume of attacks, including a turbulent global geopolitical landscape, the introduction of new threat groups and changes in their methods of attack,” said Matt Hull, head of threat intelligence at NCC Group. “The rise of new ransomware groups, like Funksec, and cybercriminal tools, such as infostealer malware, is also making it much easier for cyber attackers to conduct attacks that are causing mass disruption.”
Ransomware whack-a-mole: David Sancho, senior antivirus researcher at cybersecurity software vendor Trend Micro, told CSO that although the ransomware landscape is dynamic a small subset of threat actors tend to make the most impact.”At any given moment, there’s typically four to five main groups and a long tail of lesser-known groups with much smaller footprints,” Sancho explained. “When some of these groups become too big, they tend to become the target of law enforcement action and they either fall soon after, they rebrand, disband entirely, or somehow reform into different entities.”LockBit (despite a law enforcement-led takedown operation in February 2024), Clop, and BlackCat/ALPHV are currently among the most active ransomware groups.”Law enforcement takedowns have disrupted major groups like LockBit but newly formed groups quickly emerge akin to a good old-fashioned game of whack-a-mole,” said Jake Moore, global cybersecurity advisor at ESET. “Double and triple extortion, including data leaks and DDoS threats, are now extremely common, and ransomware-as-a-service models make attacks even easier to launch, even by inexperienced criminals.”Moore added: “Law enforcement agencies have struggled over the years to take control of this growing situation as it is costly and resource heavy to even attempt to take down a major criminal network.”When bad actors are taken down and their servers seized, they often reappear as new gangs.”RansomHub has emerged as a dominant player in this space by recruiting former operators from LockBit and ALPHV, both of which were impacted by law enforcement efforts,” said Jim McGann, VP of strategic partnerships at AI-powered analytics firm Index Engines.
Countermeasures: Meanwhile, enterprises are taking proactive measures to defend against ransomware attacks. These include implementing zero trust architectures, enhancing endpoint detection and response (EDR) solutions, and conducting regular exercises to improve incident response readiness.Anna Chung, principal researcher at Palo Alto Networks’ Unit 42, told CSO that advanced tools such as next-gen firewalls, immutable backups, and cloud redundancies, while keeping systems regularly patched, can help defend against cyberattacks. Greater use of gen AI technologies by attackers is likely to bring further challenges, Chung warned.”In 2025, adversaries will look to leverage gen AI capabilities like threat actor-trained LLMs to enhance RaaS for conducting more advanced attacks,” Chung said. “There’s even the possibility of chatbots being utilized by threat actors to more quickly and easily negotiate ransom demands.”Cheung concluded: “To stay a step ahead, it is necessary that businesses integrate AI for threat detection and automated responses to preempt attacks.”See also:
The dirty dozen: 12 worst ransomware groups active today5 things to know about ransomware threats in 2025Ransomware recovery: 8 steps to successfully restore from backupRansomware gangs extort victims 17 hours after intrusion on average
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3842496/the-state-of-ransomware-fragmented-but-still-potent-despite-takedowns.html
