In 2024, the number of global ransomware attacks increased by 11% to 5,414, compared to the previous year.

After a slow start, ransomware attacks surged in the second quarter and reached a peak in the fourth quarter, with 1,827 incidents, accounting for 33% of the total attacks for the year. The disruption of major ransomware groups, such as LockBit, by law enforcement led to fragmentation and an increase in competition, resulting in the emergence of smaller gangs. The number of active ransomware groups increased by 40%, from 68 in 2023 to 95 in 2024.

New Ransomware Groups to Watch

In 2023, there were only 27 new ransomware groups, but in 2024, this number increased dramatically to 46. The number of groups continued to accelerate, with 48 groups active in the fourth quarter of 2024.

Of the 46 new ransomware groups in 2024, RansomHub emerged as a dominant player, surpassing LockBit’s activity. The research team at Cyberint, now a Check Point Company, is continuously researching and analyzing the latest ransomware groups to understand their potential impact. This article will examine three new players: RansomHub, Fog, and Lynx, and delve into their impact in 2024, as well as their origins and tactics, techniques, and procedures (TTPs).

To learn about other new players, download the 2024 Ransomware Report here.

Ransomhub

RansomHub has emerged as the leading ransomware group in 2024, claiming 531 attacks on its Data Leak Site since it began operations in February 2024. Following the FBI’s disruption of ALPHV, RansomHub is perceived as its ‘spiritual successor,’ potentially involving former affiliates.

Operating as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, with non-compliance resulting in bans and termination of partnerships. It offers a 90/10 ransom split, with affiliates receiving 90% and the core group receiving 10%.

While claiming a global hacker community, RansomHub avoids targeting CIS nations, Cuba, North Korea, China, and non-profits, exhibiting characteristics of a traditional Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with other Russian ransomware groups in targeted companies further highlight their likely connections to Russia’s cybercrime ecosystem.

Cyberint’s August 2024 findings indicate a low payment rate, with only 11.2% of victims paying (20 of 190), and negotiations often reducing demands. RansomHub prioritizes attack volume over payment rates, leveraging affiliate expansion to ensure profitability, with the goal of generating substantial revenue over time despite low individual payment success.

Malware, Toolset & TTPs

RansomHub’s ransomware, developed in Golang and C++, targets Windows, Linux, and ESXi, distinguished by its fast encryption. Similarities to GhostSec’s ransomware suggest a trend.

RansomHub guarantees free decryption if affiliates fail to provide it post-payment or target prohibited organizations. Their ransomware encrypts data before exfiltration. Potential ties to ALPHV are suggested by attack patterns, indicating similar tools and TTPs could be used.

Sophos research highlights parallels with Knight Ransomware, including Go-language payloads obfuscated with GoObfuscate and identical command-line menus.

Fog Ransomware

Fog ransomware appeared in early April 2024, targeting U.S. educational networks by exploiting stolen VPN credentials. They use a double-extortion strategy, publishing data on a TOR-based leak site if victims don’t pay.

In 2024, they attacked 87 organizations globally. An Arctic Wolf report from November 2024 showed Fog initiated at least 30 intrusions, all via compromised SonicWall VPN accounts. Notably, 75% of these intrusions were linked to Akira, with the rest attributed to Fog, suggesting shared infrastructure and collaboration.

Fog primarily targets education, business services, travel, and manufacturing, with a focus on the U.S. Interestingly, Fog is one of the few ransomware groups that prioritize the education sector as their primary target.

Fog ransomware has demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours. Its attacks follow a typical ransomware kill chain, encompassing network enumeration, lateral movement, encryption, and data exfiltration. Versions of the ransomware exist for both Windows and Linux platforms.

IOCs

Lynx

Lynx is a double-extortion ransomware group that has been very active lately, displaying many victimized companies on their website. They state that they avoid targeting government organizations, hospitals, non-profit groups, and other essential social sectors.

Once they gain access to a system, Lynx encrypts files, appending the “.LYNX” extension. They then place a ransom note named “README.txt” in multiple directories. In 2024 alone, Lynx claimed more than 70 victims, demonstrating their continued activity and significant presence in the ransomware landscape.

IOCs

What’s to Come in 2025?

Due to the crackdown on ransomware groups, a record number of new groups have emerged, seeking to make a name for themselves. In 2025, Cyberint anticipates that several of these newer groups will enhance their capabilities and emerge as dominant players, not just RansomHub.

Read Cyberint, now a Check Point Company’s 2024 Ransomware Report for the top targeted industries and countries, a breakdown of the top 3 ransomware groups, ransomware families worth noting, newcomers to the industry, arrests and news, and 2025 forecasts.

Read the 2024 Ransomware Report to Gain Detailed Insights and More.