The New Ransomware Teams Shaking Up 2025

In 2024, international ransomware assaults hit 5,414, an 11% enhance from 2023.

After a sluggish begin, assaults spiked in Q2 and surged in This fall, with 1,827 incidents (33% of the yr’s complete). Regulation enforcement actions towards main teams like LockBit induced fragmentation, resulting in extra competitors and an increase in smaller gangs. The variety of lively ransomware teams jumped 40%, from 68 in 2023 to 95 in 2024.

New Ransomware Teams to Watch

In 2023 there have been simply 27 new teams. 2024 noticed a dramatic rise with 46 new teams detected. Because the yr went on the variety of teams accelerated with This fall 2024 having 48 teams lively.

Of the 46 new ransomware teams in 2024, RansomHub grew to become dominant, exceeding LockBit’s exercise. At Cyberint, now a Examine Level Firm, the analysis workforce is continually researching the newest ransomware teams and analyzing them for potential affect. This weblog will take a look at 3 new gamers, the aforementioned RansomHub, Fog and Lynx and study their affect in 2024 and delve into their origins and TTPs.

To study different new gamers obtain the 2024 Ransomware Report right here.

Ransomhub

RansomHub has emerged because the main ransomware group in 2024, claiming 531 assaults on its Data Leak Web site since commencing operations in Feb 2024. Following the FBI’s disruption of ALPHV, RansomHub is perceived as its ‘religious successor,’ doubtlessly involving former associates.

Working as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, and RansomHub enforces strict adherence to affiliate agreements, with non-compliance leading to bans and termination of partnerships. It presents a 90/10 ransom break up, Associates/Core Group.

Whereas claiming a world hacker group, RansomHub avoids focusing on CIS nations, Cuba, North Korea, China, and non-profits, exhibiting traits of a standard Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with different Russian ransomware teams in focused firms additional spotlight their doubtless connections to Russia’s cybercrime ecosystem.

Cyberint’s August 2024 findings point out a low cost price: solely 11.2% of victims paid (20 of 190), with negotiations usually lowering calls for. RansomHub prioritizes assault quantity over cost charges, leveraging affiliate growth to make sure profitability, with the aim of producing substantial income over time regardless of low particular person cost success.

Malware, Toolset & TTPS

RansomHub’s ransomware, developed in Golang and C++, targets Home windows, Linux, and ESXi, distinguished by its quick encryption. Similarities to GhostSec’s ransomware counsel a pattern.

RansomHub ensures free decryption if associates fail to supply it post-payment or goal prohibited organizations. Their ransomware encrypts knowledge earlier than exfiltration. Potential ties to ALPHV are steered by assault patterns, indicating related instruments and TTPs could possibly be used.

Sophos analysis highlights parallels with Knight Ransomware, together with Go-language payloads obfuscated with GoObfuscate and similar command-line menus.

Fog Ransomware

Fog ransomware appeared in early April 2024, focusing on U.S. academic networks by exploiting stolen VPN credentials. They use a double-extortion technique, publishing knowledge on a TOR-based leak web site if victims do not pay.

In 2024, they attacked 87 organizations globally. An Arctic Wolf report from November 2024 confirmed Fog initiated no less than 30 intrusions, all through compromised SonicWall VPN accounts. Notably, 75% of those intrusions had been linked to Akira, with the remaining attributed to Fog, suggesting shared infrastructure and collaboration.

Fog primarily targets training, enterprise providers, journey, and manufacturing, with a concentrate on the U.S. Curiously, Fog is likely one of the few ransomware teams that prioritize the training sector as their major goal.

Fog ransomware has demonstrated alarming pace, with the shortest noticed time from preliminary entry to encryption being simply two hours. Its assaults observe a typical ransomware kill chain, encompassing community enumeration, lateral motion, encryption, and knowledge exfiltration. Variations of the ransomware exist for each Home windows and Linux platforms.

IOCs

Lynx

Lynx is a double-extortion ransomware group that has been very lively currently, displaying many victimized firms on their web site. They state that they keep away from focusing on authorities organizations, hospitals, non-profit teams, and different important social sectors.

As soon as they achieve entry to a system, Lynx encrypts recordsdata, appending the “.LYNX” extension. They then place a ransom be aware named “README.txt” in a number of directories. In 2024 alone, Lynx claimed greater than 70 victims, demonstrating their continued exercise and important presence within the ransomware panorama.

IOCs

What’s to Are available in 2025?

As a result of crackdown on ransomware teams, probably the most new teams on document have appeared, in search of to make a reputation for themselves. In 2025, Cyberint anticipates a number of of those newer teams to reinforce their capabilities and emerge as dominant gamers, not simply RansomHub.

Learn Cyberint, now a Examine Level Firm’s 2024 Ransomware Report for the highest focused industries and nations, a breakdown of the highest 3 ransomware teams, ransomware households price noting, newcomers to the trade, arrests and information, and 2025 forecasts.

Learn the 2024 Ransomware Report back to Acquire Detailed Insights and Extra.