2024 Ransomware Cyber Threat Intelligence (CTI) Landscape: The Largest Number of Active Ransomware Groups on Record

In 2024, ransomware continues to dominate the cyber threat landscape, with a record number of active groups engaging in increasingly sophisticated and financially devastating attacks. According to Cyberint, 58 active ransomware groups attacked global businesses in Q2 2024, a number slightly reduced to 57 in Q3. This unprecedented level of activity is driven by the rise of Ransomware-as-a-Service (RaaS) models, the integration of double and triple extortion methods, and the diversification of attack vectors, including cloud infrastructure and operational technology (OT) systems.

This comprehensive analysis delves into every major ransomware family active in 2024, their tactics, techniques, procedures (TTPs), and the evolving ransomware threat landscape. The report also includes a forward-looking forecast based on current trends in ransomware and cyber threat intelligence (CTI), highlighting the most dangerous ransomware groups and sectors at risk.

Current State of Ransomware in 2024

1. Record-Breaking Activity

• 58 Active Ransomware Groups: The highest number of ransomware groups ever recorded, showing a diversification of cybercriminal activity.
• Attack Volume Increases: Ransomware incidents have increased by 2.75 times year-over-year, according to a Microsoft report. However, due to advancements in defensive technologies like Endpoint Detection and Response (EDR), only 30% of these attacks result in encryption, marking a significant three-fold decrease in successful encryptions compared to prior years.
• Top 10 Groups Dominance: The top 10 ransomware groups were responsible for only 58.3% of attacks in Q3, a sharp contrast from prior years, indicating that smaller, emerging groups are contributing significantly to the surge in ransomware incidents.

Major Ransomware Groups in 2024

1. LockBit (LockBit 4.0 / LockBit Black)

• Activity Level: Extremely Active
• Description: LockBit remains one of the most dominant Ransomware-as-a-Service (RaaS) operations globally, having evolved to LockBit 4.0 in 2024. This latest version enhances the group’s capabilities to support both Windows and Linux environments. LockBit 4.0 introduces improved stealth mechanisms and customizable features for affiliates, allowing them to adapt the ransomware for specific targets. The group's sophisticated operational model emphasizes speed, efficiency, and adaptability, enabling it to quickly exploit vulnerabilities in a variety of systems.
• Key TTPs:
• Notable Targets: LockBit has targeted a wide range of sectors, including critical infrastructure, healthcare, financial services, and manufacturing. Its attacks have affected numerous multinational corporations across North America and Europe, illustrating its capability to strike at high-value targets.
• Recent Activity: In Q3 2024, LockBit was responsible for high-profile attacks on several U.S. auto dealerships, exploiting vulnerabilities in their supply chains. These attacks resulted in significant operational disruptions, affecting sales and customer trust.
• Forecast: LockBit is expected to maintain its dominance in 2024, leveraging its extensive affiliate network and continual development of new ransomware variants to evade detection. With ongoing enhancements in encryption technology and tactics, the group is likely to increase its targeting of critical infrastructure and cloud environments, focusing on industries where operational disruptions can lead to significant ransom payments.

2. ALPHV / BlackCat / Noberus (Rust-based Ransomware)

• Activity Level: Highly Active
• Description: ALPHV, also known as BlackCat, is recognized as one of the most advanced ransomware families due to its use of the Rust programming language, which enhances its performance and evasion capabilities. ALPHV’s flexibility allows it to target both traditional enterprise networks and modern cloud environments effectively. The group is characterized by its adaptability and its sophisticated operational techniques that set it apart from many other ransomware families.
• Key TTPs:
• Notable Targets: ALPHV has targeted a variety of sectors, including energy companies, healthcare providers, and manufacturing industries, particularly in Europe and the United States. Its attacks often focus on organizations with critical infrastructure components, leveraging high-stakes situations to secure ransom payments.
• Recent Activity: In late 2023 and early 2024, ALPHV successfully compromised several critical infrastructure entities, leading to operational disruptions and substantial ransom demands. Notably, the group was linked to high-profile breaches involving energy companies and major cloud service providers.
• Forecast: ALPHV is expected to expand its reach further in 2024, particularly in sectors with vulnerable cloud infrastructures. As organizations increasingly migrate to the cloud, the potential for exploitation by sophisticated groups like ALPHV will likely grow, posing significant threats to data integrity and availability.

3. Royal Ransomware (Monti Ransomware)

• Activity Level: Active
• Description: Royal ransomware, a direct offshoot of the infamous Conti group, continues to be a formidable player in the ransomware landscape. The group has developed a reputation for its aggressive tactics and its ability to exploit vulnerabilities in legacy systems, making it a persistent threat to critical infrastructure.
• Key TTPs:
• Notable Targets: Royal has predominantly focused on healthcare providers, educational institutions, and government agencies in North America and Europe. Its attacks often lead to significant operational disruptions and data breaches.
• Recent Activity: In Q1 2024, Royal ransomware targeted several large healthcare organizations in North America, resulting in substantial operational delays and ransom demands that exceeded $10 million. These attacks not only disrupted services but also compromised sensitive patient information.
• Forecast: Royal ransomware is anticipated to continue its aggressive targeting of the healthcare and education sectors due to their reliance on legacy systems and lower cybersecurity maturity. As the group evolves, it may incorporate more sophisticated techniques to exploit cloud services and target critical infrastructure.

4. Cuba Ransomware

• Activity Level: Highly Active
• Description: Cuba ransomware is a persistent and adaptable threat actor that has gained notoriety for its alliances with other malware, such as Hancitor, to broaden its attack vectors. Known for targeting critical infrastructure, Cuba has successfully executed several high-impact attacks, emphasizing its ability to infiltrate complex networks.
• Key TTPs:
• Notable Targets: The group has primarily targeted financial institutions, healthcare systems, and critical infrastructure organizations across North America and Europe, with a particular focus on sectors where operational disruptions can have severe consequences.
• Recent Activity: In Q2 2024, Cuba ransomware orchestrated a large-scale attack on a North American power grid operator, causing widespread service disruptions and resulting in ransom demands exceeding millions of dollars. This attack highlighted the vulnerabilities within critical infrastructure and raised alarms about the potential consequences of such breaches.
• Forecast: Cuba ransomware is expected to continue focusing on critical infrastructure, particularly power grids, transportation systems, and financial services, where the potential for operational disruption can lead to quick and significant ransom payments. As organizations become more reliant on digital infrastructures, Cuba's tactics will likely become increasingly aggressive.

5. Vice Society

• Activity Level: Growing
• Description: Vice Society is notorious for its targeted attacks on educational institutions and healthcare providers. The group has established itself as a significant threat by focusing on organizations with outdated cybersecurity infrastructures, where the likelihood of quick ransom payments is higher due to budget constraints and the critical nature of the services provided.
• Key TTPs:
• Notable Targets: K-12 schools, universities, and hospitals across the U.S. and U.K. have been primary targets. The group’s modus operandi includes a strategic approach that emphasizes exploiting institutional vulnerabilities.
• Recent Activity: In early 2024, Vice Society launched a series of ransomware attacks on multiple U.S. school districts, resulting in significant disruptions to online learning platforms and school operations. These attacks not only led to data breaches but also caused widespread panic among parents and students.
• Forecast: Vice Society is likely to continue targeting the education sector, where cybersecurity measures are often underfunded. As ransomware becomes more sophisticated, the group is expected to expand its affiliate network and increase the scale of its attacks, potentially affecting larger institutions that have historically been more resilient.

6. Black Basta Ransomware

• Activity Level: Highly Active
• Description: Black Basta has rapidly emerged as one of the top ransomware groups worldwide, leveraging banking trojans such as QBot and IcedID for initial access. The group employs double-extortion techniques to maximize the pressure on victims, compelling them to pay substantial ransoms under threat of data leaks.
• Key TTPs:
• Notable Targets: Black Basta has targeted corporate networks across manufacturing, finance, and healthcare sectors, often selecting high-profile organizations that are likely to pay ransoms due to the potential fallout from operational disruptions.
• Recent Activity: In mid-2024, Black Basta orchestrated a significant attack on a major European car manufacturer, crippling production for weeks. This high-impact breach demonstrated the group’s capability to inflict severe damage on critical business operations.
• Forecast: Black Basta’s aggressive affiliate model and the continued use of advanced malware loaders are expected to result in a surge of attacks on high-profile organizations in 2024, particularly in the manufacturing and healthcare sectors. The group's tactics are likely to evolve, focusing on larger corporations with greater ransom-paying potential.

7. BianLian Ransomware

• Activity Level: Active
• Description: BianLian ransomware has rapidly expanded its operations in 2024, known for its swift infiltration and efficient encryption methods. This group primarily targets healthcare and financial sectors, where operational downtime can have severe consequences. BianLian’s capability to quickly exfiltrate data enhances its leverage in ransom negotiations.
• Key TTPs:
• Notable Targets: The group has focused on healthcare providers, small and medium-sized businesses (SMBs), and financial institutions across North America and Europe. BianLian’s attacks often result in severe operational disruptions and financial losses.
• Recent Activity: BianLian claimed responsibility for the cyberattack on Boston Children’s Health Physicians in early 2024, threatening to leak sensitive pediatric patient data unless a ransom was paid. This incident raised alarms about the group’s focus on highly sensitive data and its willingness to exploit vulnerable healthcare organizations.
• Forecast: BianLian is expected to expand its operations further, particularly within the healthcare sector, where the sensitivity of data increases the likelihood of ransom payments. The group's fast encryption capabilities and focus on data exfiltration make it one of the most disruptive ransomware threats in 2024.

8. Royal Ransomware (Monti Ransomware)

• Activity Level: Active
• Description: Royal ransomware, previously known as Monti, has continued to evolve since its split from the Conti group. It is recognized for its aggressive tactics and sophisticated methodologies, particularly in targeting sectors such as healthcare, government, and education.
• Key TTPs:
• Notable Targets: The group has focused primarily on healthcare providers, educational institutions, and public sector organizations in North America and Europe, where data sensitivity and operational continuity are critical.
• Recent Activity: In early 2024, Royal ransomware targeted several large healthcare organizations in North America, leading to significant operational disruptions and substantial ransom demands, some exceeding $10 million. These attacks underscored the group’s ability to exploit the vulnerabilities of critical infrastructure.
• Forecast: Royal ransomware is expected to maintain its focus on healthcare and education sectors due to their reliance on legacy systems and weaker cybersecurity postures. As the group evolves, it is likely to incorporate more sophisticated cloud-targeting techniques, increasing its effectiveness against organizations moving toward cloud-based infrastructures.

Emerging Ransomware Threats in 2024

9. Rhysida Ransomware

• Activity Level: Emerging
• Description: Rhysida ransomware is a relatively new threat actor that has garnered attention for its aggressive double-extortion tactics and a distinct focus on critical industries. The group quickly encrypts data while simultaneously exfiltrating sensitive information, leveraging this data to demand ransoms for both decryption and the assurance of non-disclosure. Rhysida's operational model is characterized by a high-speed attack vector that minimizes the time available for defensive responses, making it a formidable threat in the current cybersecurity landscape.
• Key TTPs:
• Notable Targets: Rhysida has predominantly targeted healthcare organizations, government institutions, and critical infrastructure across North America and Europe. These sectors are particularly vulnerable due to their reliance on timely access to data and services.
• Recent Activity: In Q1 2024, Rhysida successfully attacked several healthcare organizations in Europe, exfiltrating sensitive patient data and demanding millions in ransom. Reports indicate that these attacks led to substantial operational disruptions, including canceled medical procedures and compromised patient confidentiality.
• Forecast: Rhysida is likely to expand its operations throughout 2024, particularly targeting high-value industries such as healthcare and critical infrastructure, where data exfiltration can have particularly damaging effects. The group’s aggressive approach and fast encryption capabilities make it a significant emerging threat, with the potential to increase its influence and impact in the ransomware ecosystem.

10. 8Base Ransomware

• Activity Level: Active and Growing
• Description: 8Base ransomware is an emerging group that gained momentum in 2023 and continues to expand rapidly. The group primarily targets small and medium-sized businesses (SMBs) using double-extortion tactics, which involve encrypting data and demanding ransom payments for decryption and non-disclosure of stolen information. 8Base leverages vulnerabilities in SMB cybersecurity practices, exploiting their limited resources and outdated defenses.
• Key TTPs:
• Notable Targets: The group has concentrated its efforts on SMBs across the U.S. and Europe, particularly in the healthcare and finance sectors, where disruptions can lead to severe operational consequences.
• Recent Activity: In early 2024, 8Base was responsible for several attacks on U.S. healthcare organizations, demanding ransoms ranging from $100,000 to $500,000. These attacks not only caused operational interruptions but also put sensitive patient information at risk.
• Forecast: 8Base is expected to continue its growth throughout 2024, leveraging its low profile and ability to exploit poorly defended SMBs. Anticipate an increase in attacks against smaller businesses, especially those in critical sectors like healthcare and finance, where the potential for operational disruption heightens the chances of ransom payments.

11. Cicada3301 Ransomware (RaaS)

• Activity Level: Emerging
• Description: Cicada3301 is a newly discovered ransomware-as-a-service (RaaS) operation that began targeting organizations in mid-2024. The group operates with a growing affiliate network, focusing on high-impact double-extortion attacks directed at critical infrastructure and corporate enterprises. Cicada3301 has quickly gained notoriety for its methodical approach to targeting large organizations and its ability to execute complex attacks.
• Key TTPs:
• Notable Targets: Corporate enterprises and critical infrastructure in North America and Europe have been primary targets for Cicada3301. The group’s strategy emphasizes high-value organizations that are likely to be severely impacted by operational disruptions.
• Recent Activity: In mid-2024, Cicada3301 attacked a major U.K. energy company, exfiltrating sensitive operational data and demanding a ransom exceeding $5 million. This high-profile attack highlighted the group’s capabilities and raised concerns about the vulnerability of critical infrastructure to ransomware attacks.
• Forecast: Cicada3301 is likely to expand its affiliate network and continue targeting critical sectors globally. The group’s focus on high-value organizations where operational downtime can lead to substantial ransom payments positions it as a significant emerging threat in the ransomware landscape for 2024. As it grows, expect Cicada3301 to refine its tactics, further enhancing its effectiveness and reach.

Ransomware CTI Forecast for 2024

1. Proliferation of Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) models are poised to continue dominating the ransomware landscape in 2024. These platforms empower low-skill actors to execute sophisticated attacks by providing ready-made ransomware tools and comprehensive affiliate programs. This democratization of ransomware allows for a wider array of threat actors to engage in cybercrime, including those with minimal technical expertise. As of Q3 2024, the trend is evident, with the top 10 ransomware groups responsible for only 58.3% of attacks, indicating that a multitude of smaller groups are increasingly participating in the threat landscape. This expansion of RaaS will likely lead to a surge in attacks across various sectors, as new affiliates join the ranks, motivated by the potential for financial gain.

2. Double and Triple Extortion Becoming Standard Practice

In 2024, ransomware groups are expected to rely heavily on multi-faceted extortion tactics, evolving beyond traditional methods of data encryption. Attackers are increasingly exfiltrating sensitive information and threatening to release it publicly unless ransoms are paid. This double extortion approach heightens the urgency for victims to comply with ransom demands. Some groups have begun integrating Distributed Denial-of-Service (DDoS) attacks into their strategies, further pressuring victims to pay up quickly to restore normal operations. As attackers continue to refine these tactics, triple extortion strategies are expected to become standard practice. These may involve encrypting data, stealing sensitive information, and executing DDoS attacks, all aimed at maximizing financial leverage over organizations.

3. Expansion of Cloud and IoT Targeting

As organizations increasingly migrate to cloud infrastructures, ransomware groups are shifting their focus toward exploiting vulnerabilities within these environments. ALPHV (BlackCat) has demonstrated significant success in targeting hybrid cloud setups, illustrating the potential for substantial financial gain in these sectors. In 2024, ransomware actors will likely intensify their efforts to exploit misconfigurations and security weaknesses within cloud services. Furthermore, with the proliferation of Internet of Things (IoT) devices in critical industries such as healthcare and manufacturing, ransomware groups are expected to target these devices more aggressively. This exploitation of IoT vulnerabilities can lead to breaches in operational technology (OT) networks, resulting in severe disruptions to essential services and processes.

4. Critical Infrastructure Under Siege

Ransomware groups are increasingly setting their sights on critical infrastructure sectors, including energy, healthcare, transportation, and financial services. These industries are particularly vulnerable due to their reliance on interconnected systems and the critical nature of their services. In 2024, groups such as LockBit, ALPHV, and Cuba are anticipated to lead attacks against these sectors. The operational disruptions caused by ransomware attacks in critical infrastructure often compel organizations to pay ransoms quickly to restore services, making them highly lucrative targets. The potential for widespread societal impact and operational paralysis heightens the stakes for these ransomware actors, leading to more aggressive tactics and higher ransom demands.

5. Nation-State Sponsored Ransomware

The boundary between financially motivated ransomware groups and nation-state actors is becoming increasingly blurred. Nation-states, particularly North Korea and Iran, are leveraging ransomware not only to generate revenue but also as tools for espionage and disruption. Groups such as Lazarus (North Korea) and APT33 (Iran) are expected to ramp up their ransomware activities, particularly targeting critical infrastructure and government organizations in geopolitical hotspots. This rise in state-sponsored ransomware may lead to more sophisticated attacks that incorporate elements of cyber warfare, including disinformation campaigns and direct attacks on national security interests.

6. Defensive Improvements but Rising Sophistication

While advancements in defensive technologies, such as Endpoint Detection and Response (EDR) systems, have helped mitigate some ransomware threats by reducing the number of attacks that result in file encryption, ransomware groups are continuously adapting to these measures. More sophisticated actors are employing advanced evasion techniques, utilizing uncommon programming languages like Rust, which complicates detection efforts by traditional security systems. As ransomware evolves, expect ongoing innovation in malware development, allowing these threats to remain persistent and adaptive despite improvements in cybersecurity defenses. This cat-and-mouse dynamic between ransomware actors and cybersecurity professionals will continue to define the ransomware landscape in 2024, with organizations needing to stay vigilant and proactive in their defensive strategies.

Conclusion

The ransomware landscape in 2024 is marked by an unprecedented level of activity, with a record number of ransomware groups targeting organizations globally. The rise of RaaS models has democratized ransomware, enabling smaller groups to launch sophisticated attacks. As ransomware evolves, tactics like double and triple extortion, cloud infrastructure targeting, and nation-state sponsorship are becoming more prevalent, making ransomware a critical threat to all sectors, particularly healthcare, critical infrastructure, and finance. Organizations must stay vigilant, continually update their cybersecurity defenses, and remain informed through ransomware-specific threat intelligence to mitigate the risks posed by these increasingly dangerous threat actors.