As we step into 2025, the high-impact, financially motivated ransomware landscape continues to evolve, shaped by a combination of law enforcement actions, shifting affiliate dynamics, advancements in defensive approaches, and broader economic and geopolitical influences.
While 2024 also saw the continued use of ransomware for non-financial gain purposes, such as drawing attention away from other activities – financial motives remained at the forefront of the overall ransomware landscape.
The on-going battle law enforcement agencies worldwide fight against ransomware gangs got off to a fast start. The year’s first action took place on February 20, when international law enforcement agencies seized control of LockBit's administration environment, including its primary Dedicated/Data Leak Site (DLS).
To rub some additional salt in LockBit’s wound, authorities retained the familiar look of LockBit’s site but replaced victim-related content with press releases, indictments, and updates about the operation’s takedown. LockBit managed to resume operations shortly afterward, releasing another version of its ransomware (v4/4.0) in December, but the incident damaged its reputation and caused unease among affiliates and partners.
Figure 1. LockBit 3.0 DLS
Just a month later, in March, the ecosystem faced another disruption when ALPHV/BlackCat abruptly shut down. Unlike LockBit’s forced takedown, BlackCat’s exit was far more calculated – an outright scam, when operators behind BlackCat deceived their affiliates, siphoning funds and abandoning the project, thus intensifying distrust within the RaaS community.
Figure 2. The RAMP administrator has confirmed that ALPHV is engaging in an exit scam.
However, rather than signaling a collapse, with continuing disruptions, such as the takedown of Dispossessor/Radar in late August, these events marked ongoing shifts, paving the way for smaller, more agile ransomware actors to capitalize on the newly emerging voids.
Operating under new, often short-lived brands, these operations were harder to track. Yet, despite these challenges, Dedicated/Data Leak Sites remained a valuable, albeit imperfect, source of insight into this new ransomware activity.
This retrospective, which is based primarily on DLS activities, spotlights the five most notable affiliate programs that emerged in 2024, alongside other ransomware operations and groups that surfaced throughout the year, examining their Tactics, Techniques, and Procedures (TTPs) and how these new brands are reshaping and driving the next chapter in the ransomware threat landscape.
Figure 3. RansomHub DLS
Looking ahead to 2025, RansomHub has firmly established itself as arguably the most notable affiliate program to come out of 2024, claiming one of the highest number of victims over the past year. This heightened visibility kept RansomHub and its Golang-based ransomware at the forefront of the threat landscape throughout the entire year. Since launching its affiliate program in February, RansomHub has thrived uninterrupted, primarily leveraging the RAMP forum for public communication and recruitment. The group’s success is largely attributed to its affiliate-friendly model and secure payment strategy, offering a 90-10 payment split that favors affiliates and a direct payment structure.
This approach not only attracted numerous affiliates but also likely strengthened RansomHub’s position amidst challenges faced by the RaaS ecosystem later in 2024. This was when law enforcement crackdowns on competitors like LockBit, coupled with increased caution within the ransomware community (particularly following ALPHV’s exit scam and claims that some of its affiliates moved to RansomHub) further bolstered RansomHub’s appeal and solidified its standing.
In terms of TTPs, RansomHub affiliates in 2024 frequently initiated attacks using phishing emails, password spraying, and exploitating publicly facing infrastructure. Targeted vulnerabilities included CVE-2020-1472 (Zerologon) and flaws in various enterprise solutions like Citrix, Apache, Confluence, and Fortinet.
Credentials were often acquired through direct compromises or initial access brokers (IAB), typically using malware from various Malware-as-a-Service (MaaS) offerings. Exposed remote desktop services and systems without multi-factor authentication (MFA) also remained common entry points.
What set RansomHub apart, though, was the use of custom-built “EDR-killer” malware designed to neutralize endpoint detection and response solutions. Tools like netscan and rclone also featured prominently, reflecting the varied operations among RansomHub’s affiliates – some employing advanced techniques while others relied on simpler, more accessible methods. This diversity also showcased RansomHub’s adaptability in tailoring its operations to the victim’s profile, as well as its ability to accommodate affiliates with differing levels of experience.
Overall, RansomHub displayed notable operational maturity compared to other affiliate programs that emerged in 2024. RansomHub’s rapid rise, compounded by the decline of competitors, signals its readiness to remain a dominant force in the RaaS market moving into 2025. With its streamlined payment model, consistent operations, and highly active data leak site, RansomHub is poised to maintain its appeal among a diverse range of cybercriminals, cementing its position as a key player in the ransomware ecosystem.
Figure 4. BlackLock DLS
El Dorado also established itself as one of the most prominent names of the past year. Initially launched in March and later rebranded as BlackLock in September, El Dorado/BlackLock quickly gained traction as a RaaS platform, offering comprehensive support for affiliates and expanding the variety and frequency of ransomware attacks. This approach likely enabled a diverse range of actors to leverage the platform, contributing to its rapid rise in visibility within the ransomware ecosystem. Much like RansomHub, BlackLock capitalized on the RAMP forum as its primary platform for advertising, communication, and recruitment. Similarly, it used Golang for its ransomware, further underscoring a larger 2024 trend of ransomware encryptors/lockers focusing on cross-platform capabilities.
In terms of TTPs, El Dorado affiliates mirrored some strategies seen across other RaaS platforms. Persistence was often achieved through RDP access or by creating additional user accounts. Affiliates typically gained initial access through phishing emails, exploiting vulnerabilities in exposed services, or leveraging stolen credentials. Once inside a network, El Dorado operators demonstrated a structured approach to lateral movement, often exploiting unpatched vulnerabilities or utilizing stolen credentials. Throughout the year, BlackLock affiliates also consistently maintained a reputation for targeting critical enterprise assets, particularly through the exploitation of VMware ESXi vulnerabilities, overall demonstrating a high degree of operational versatility.
Its combination of cross-platform ransomware capabilities, targeted attacks on high-value enterprise assets, and a user-friendly affiliate model positioned the group as a formidable force in the RaaS landscape. As 2025 begins, BlackLock remains a significant threat, ensuring its place among the most impactful RaaS groups of the past year.
Figure 5. Lynx DLS
The next most active ransomware group by DLS posts in 2024 was Lynx. Another successful newcomer to the cybercrime landscape. Emerging in July, Lynx quickly gained notoriety for its targeted attacks across multiple sectors, including manufacturing, construction, and utilities. Lynx affiliates relied on phishing campaigns as their primary method of initial compromise, a tactic common among ransomware operators, but evidently executed with notable success in this case. Victims were tricked into revealing credentials, which were then weaponized for lateral movement within networks.
Although many details about the TTPs leading to ransomware deployment remain unclear, once inside a network, attackers consistently deleted shadow copies of backups. During the ransomware encryption phase, Lynx targeted not only local files but also network shares and hidden drives, focusing on data critical to business continuity.
Much like other groups, victims faced double extortion, with their files encrypted and the additional threat of sensitive data being exposed on Lynx’s leak site. A significant development in the analysis of Lynx ransomware was its code overlap with the earlier INC ransomware, sparking widespread speculation about its origins. This raised the possibility that Lynx was either a direct successor, a rebranded evolution of INC, or that it borrowed the codebase. Reusing code from other ransomware families is a common practice among cybercriminals, allowing them to save development time while building on proven methods. In Lynx's case, this approach appeared to yield quick success, with the group rapidly establishing itself as an evolving threat.
Although Lynx’s origins and TTP profile remain unclear, the brand’s uninterrupted effectiveness since its appearance and particularly throughout the latter half of 2024 underscores its significance in the ransomware ecosystem. Its ability to adapt and execute high-profile attacks suggests a mature threat cluster and solidified its position among the top, most notable ransomware groups of the year.
Figure 6. FOG DLS
Following closely alongside BlackLock and Lynx in the ranks of the most DLS-active ransomware groups of 2024 was FOG. Fog first appeared in May and quickly gained attention when in mid-June the group launched its DLS. While details on FOG’s underlying monetization model remain scarce, its TTP profile provides some insight into its operations.
Throughout 2024, FOG deployments primarily gained initial access through corporate VPN services. Ransomware operators were also known to employ pass-the-hash attacks, brute-forcing user accounts, and extracting credentials from browsers.
To maintain persistence, affiliates relied on custom scripts, credential stuffing techniques, and additional access methods like establishing RDP connections and hijacking user accounts. In some cases, new user accounts were specifically created for this purpose. Tools like FileZilla and reverse SSH shells were also used to ensure ongoing access.
FOG operators also conducted extensive network enumeration using tools such as Metasploit, PsExec, and network scanners like Advanced Port Scanner and SharpShares. The group's lateral movement was facilitated by RDP and SMB, which used to pivot between systems and spread the ransomware further. Throughout the attack lifecycle, the group was also detected disabling Windows Defender. For data exfiltration, FOG operators utilized legitimate third-party tools like 7-Zip and cloud services. The group also relied on remote access tools like AnyDesk and SplashTop for C2 communication, blending its traffic with legitimate network activity.
Overall, FOG ransomware’s operations reflected a broader trend in 2024, where initially small, more isolated groups test their strategies before evolving into more organized operations with a dedicated DLS and refined tactics. In FOG’s case, the group's approach has been highly adaptable, combining well-established tools and techniques while continuously maturing.
Figure 7. BASHE DLS
Concluding our top 5 list of newly emerged, most active, and stable ransomware brands for 2024 is BASHE. BASHE is a group that originally appeared online in April under the name APT73l before rebranding itself in October. BASHE quickly carved out a unique niche by offering affiliates a distinct model, gaining a notable level of traction within the cybercriminal community.
The group's program offered affiliates three main options: data encryption, data theft, and the sale of stolen data or access. For data encryption, affiliates would gain access to a company’s systems, encrypt files, and confirm the encryption with BASHE. In return, BASHE would create accounts for the affiliate and the victim on its negotiation platform, enabling ransom demands to be made.
For data theft, affiliates were tasked with stealing sensitive information and delivering it to BASHE. The group would then post a countdown for payment on its blog and assist with ransom negotiations. In both cases, affiliates kept 80% of the ransom, while BASHE took a 20% cut. BASHE also facilitated the sale of stolen data and access, allowing affiliates to negotiate directly with buyers once they confirmed the data or access, they’d obtained. BASHE enforced strict rules regarding affiliate conduct. The group prohibited sharing platform access with others, especially the victims, and emphasized the importance of honoring agreements with victims. BASHE also encouraged transparency if affiliates chose to work with competitors.
In summary, since its emergence in April, BASHE has focused on offering something akin to a Data Leak Site-as-a-Service (DLSaaS), rather than a traditional RaaS model. Unlike the aforementioned affiliate programs, BASHE doesn’t provide its own ransomware. Instead, it relied on affiliates to carry out the encryption and upload stolen data to BASHE’s platform. This model distinguished BASHE from other emerging threat actors, offering affiliates a more hands-off, service-oriented approach to extortion. By combining ransom negotiations, payment management, and secure communication tools while giving affiliates the freedom to choose their ransomware, BASHE’s approach has made it a standout player in the 2024 cybercrime ecosystem.
Overall, 2024 witnessed an evolving ransomware threat landscape, marked by the emergence of numerous other new groups, each introducing unique patterns and victimology.
January set the tone with the brief appearances of Slug, 2023Lock (believed to be linked to Zeoticus and TrinityLock), and Insane ransomware, which seemed more experimental than enduring. Slug targeted a single victim, an aircraft leasing company, before its DLS activity vanished. 2023Lock also stopped its DLS activities in February, while Insane posted one victim from the healthcare sector to its leak site before disappearing – suggesting these were short-lived tests or one-time operations.
February also brought a more dynamic wave of activity, with Blackout ransomware distinguishing itself by renaming compromised files without appending a custom extension. Meanwhile Trisecmade an initial appearance but faded after three DLS posts. Then Albabat emerged as the successor to Albabat Beta, and Mogilevichturned out to be a scam operation rather than a true ransomware group, duping aspiring cybercriminals into paying for fake infrastructure.
In contrast, SEXi, known for targeting VMware ESXi servers, established itself as the first stable newcomer of the year, before rebranding as APT INC in June. March saw the discovery of Rabbit Hole, Donex(whose cryptographic flaw later allowed victims to decrypt files for free), and Red, which emerged amid the law enforcement action against LockBit. This further highlighted the transitory nature of many emerging players this year. April was particularly notable, with a surge of activity from DarkVault, which featured a redesigned LockBit-style DLS,
Figure 8. DarkVault DLS
and Qiulong, which had a notable Brazilian victimology. Brazil was also featured prominently among the targets of Apos, with three out of five victims originating from that country. Other notable groups included the highly active Space Bears, dAn0n, HelloGookie (a rebrand of HelloKitty), and Shinra (linked to the Proton family).
Additionally, Estate ransomware operators gained attention for exploiting RCE vulnerability in Veeam software. In May, SpiderX ransomware emerged, while Arcus, much like DarkVault, became one of the most active groups posting on its DLS throughout the year.
Figure 9. Arcus DLS
Zero Tolerance and Flocker also made appearances, with the latter targeting smartTVs. June brought the rise of Embargo, a group that, like DarkVault and Arcus, sought to position itself among the more prominent players.
Figure 10. Embargo DLS
Cicada3301 also joined the ranks of these prominent groups, quickly drawing attention with its choice of victims and its Rust-based encryptor/locker, which supports a wide range of targeted platforms.
Figure 11. Cicada3301 DLS
Other notable names such as SenSayQ, Trinity, and LukaLocker appeared as well, with the latter gaining notoriety for pressuring victims through direct phone calls. July saw the introduction of groups such as Vanir, whose infrastructure was later disrupted by German law enforcement (after three DLS posts), and Ransomcortex, which posted four victims in a single month and has since remained inactive. Other new names included MAD LIBERATOR, Brain Cipher (which marked its activities by claiming high-profile victims, making headlines),
Figure 12. Brain Cipher DLS
Pyrx, and NullBulge, each contributing to a particularly active mid-year period. August marked the emergence of Helldown, while September saw the resurgence of Nitrogen, which first appeared in 2023 but gained prominence in 2024. Other groups, such as Orca (a Zeppelin variant) and Valencia, also began operations during this time.
October saw the debut of Hellcat, Interlock (notable for its targeting of FreeBSD servers), PlayBoy Locker, and Sarcoma, all of which contributed to a diverse array of new ransomware campaigns.
November saw six notable groups emerge. Ymir stood out for its link with RustyStealer, while Chort, Kairos, Argonauts, Safeplay, and Termite also contributed to the growing roster of groups exploiting vulnerabilities and targeting high-value assets.
Finally, December concluded the year with Bluebox, a group that has so far maintained a lowprofile. Funksec, which has done the opposite of Bluebox by posting over 100 alleged victims in a single month, signaling its potential to become a major threat in 2025, and LeakedData, which also appeared at the end of the month, claiming nearly 50 victims.
Figure 13. Funksec DLS
Figure 14. LeakedData DLS
Apart from the major examples mentioned above, the overall ransomware ecosystem offerings continued to grow in popularity and diversify, lowering the entry barrier for ransomware use. This included various relatively cheap ransomware products, offered for rent or as a one-time purchase, such as KADAVRO,
Figure 15. KADAVRO advertisement
as well as numerous unnamed ransomware offerings and isolated operations (for example, according to various trackers, it is estimated that more than 200 new unique ransomware samples were identified in 2024 in the wild).
As we explore the ransomware groups that emerged in 2024, it’s important to recognize that ransomware operators represent a highly diverse set of threat actors. Each group brings its own unique blend of experience, tooling, and TTPs. This diversity means that we cannot rely on a unified threat profile to understand the landscape.
To address this complexity, we’ve attempted to map all observed techniques to create a broad yet cohesive understanding of their operations. A heat map has been created to visually highlight the most frequently observed techniques. The most commonly employed techniques are emphasized in intense red, reflecting the overlaps and commonalities among these new actors.
Figure 16. Mapping the Overlapping TTPs of 2024 Ransomware Groups
In conclusion, threat actors in 2024 continued exploiting public-facing applications (T1190) and utilizing spear-phishing attachments and links (T1566.001, T1566.002) as their primary entry points. These methods remained foundational in 2024 (just as in previous years).
For execution, command-line utilities such as PowerShell (T1059.001) and cmd (T1059.003) were widely used to execute payloads, automate tasks, and facilitate data exfiltration. Adversaries leveraged these tools to orchestrate multi-stage attacks by downloading, staging, and executing malicious DLLs. Frameworks like Cobalt Strike and Sliver, alongside tools like PsExec, were frequently executed via System Services (T1569.002) or Scheduled Tasks (T1053.005). These tools provided attackers with reliable methods for remote control and execution, reflecting their reliance on established pen testing tools, LolBins, and techniques that have proven effective in previous years.
In 2024, ransomware operators continued to focus on scanning externally facing services, particularly VPNs and RDP, which were frequently abused to maintain prolonged access to victim environments. Establishing persistence remained a critical objective, with Valid Accounts (T1078.002, T1078.003) primarily exploited to establish footholds, highlighting the reliance on stolen credentials for sustained operations.
For privilege escalation and defense evasion, adversaries commonly deployed tools to disable antivirus solutions (T1562.001), with a notable surge in the use of EDR-specific malware like “EDR-killers”. Simultaneously, attackers leveraged Safe Mode Boot (T1562.009) to ensure ransomware execution by disabling security mechanisms during system restarts. This manipulation of host defenses emerged as one of the most prominent tactics in ransomware campaigns during 2024.
Lateral movement within victim networks primarily relied on Remote Desktop Protocol (T1021.001) and SMB/Windows Admin Shares (T1021.002). These techniques facilitated the transfer of tools and payloads, including ransomware binaries and reconnaissance utilities. Tools like PsExec, integrated into several workflows, further demonstrated the attackers' proficiency in leveraging native Windows functionalities for remote execution. In the discovery phase, techniques like Network Share Discovery (T1135) and Remote System Discovery (T1018) were the most prevalent. These methods allowed adversaries to map victim networks, identify high-value targets, and prepare for subsequent data exfiltration and encryption. Such discovery activities were essential for maximizing operational impact by selectively targeting critical assets.
As seen in the impact phase, encryption (T1486) and Inhibit System Recovery (T1490) remained universal attributes of ransomware campaigns. Threat actors disabled recovery options and deleted volume shadow copies to ensure the irreversibility of encryption. Internal Defacement (T1491.001) was also often observed in traditional ransomware deployments (however, this technique may evolve as more groups shift to data exfiltration-only models, bypassing the deployment of encryption malware).
As 2025 begins, the financially motivated ransomware ecosystem is increasingly characterized by the decentralization of operations, a trend spurred by the disruptions of larger groups. This shift has paved the way for smaller, more agile actors, shaping a fragmented yet resilient landscape. Operational diversification, combined with innovative affiliate models, has become the hallmark of this new wave of ransomware activity. Developers, operators, and other actors involved (or willing to be involved) will likely continue to look for their niche within the competitive ecosystem. While the majority compete for experienced affiliates, some succeed without relying on RaaS, and others explore creative ways to establish their place.
Focusing on newly established groups in 2024 with the most notable victimology and DLS activity, RansomHub, BlackLock, Lynx, FOG, and BASHE have clearly shown their potential to disrupt organizations on a global scale. If this momentum continues without significant disruptions, RansomHub is likely to maintain its prominence in 2025, fueled by its affiliate-friendly model.
BlackLock, Lynx, and FOG also stand to persist, highlighting the growing efficiency of smaller actors. BASHE, with its custom negotiation platform, could lead the evolution of ransomware monetization strategies.
Beyond these groups, 2024 saw a surge in activity from other notable emerging players, including DarkVault, Arcus, and Cicada3301. All these groups surfaced in 2024 and collectively had a significant impact, primarily targeting mid-sized organizations and critical infrastructure sectors (with healthcare being particularly affected). Overall, 2024 underscored the continuous evolution of the ransomware ecosystem, with new groups frequently emerging and often disappearing just as quickly.
While several groups demonstrated the potential for sustained activity, it remains uncertain which will evolve into long-term threats. The growing diversity and adaptability of these groups suggests that ransomware attacks will likely continue to present a broad and significant challenge, with a wide-ranging victimology. As some groups refine their TTPs, others may fade, but the overall trend points to a continued and expanding threat landscape.
This reflects the increasing resilience and adaptability of cybercriminal operations, despite law enforcement efforts that have caused significant disruptions to their activities. At the same time, the constant emergence of new affiliate programs and services suggests that 2025 will likely see a continued rise in attacks, accompanied by further diversification of ransomware brands.
When it comes to TTPs, all 2024 newcomers continued to combine diverse extortion tactics, such as encryption and data theft, or focused exclusively on data theft and direct blackmail. Their attack methods also remained varied, from phishing to exploiting vulnerabilities in unpatched systems, continuing the trend of increasingly diverse attack vectors and a lack of a single threat profile.
The use of Go in ransomware development, a trend that began in late 2021, continued in 2024, with notable examples like RansomHub and Embargo joining other strains like RobbinHood, Nefilim, DECAF, CrossLock, Qilin/Agenda, GhostLocker, Lockkey, BlackCat, Hive – all of which have utilized Go for its portability and performance, signaling its growing adoption by ransomware groups (paralleling a similar trend with Rust).
The ransomware ecosystem in 2024 clearly demonstrated an understanding of the importance of agility, particularly in rebranding and adapting to changing circumstances. This included the development of increasingly cross-platform ransomware tailored to meet the diverse needs of affiliates and target a broad range of victims.
Smaller, decentralized groups have proven harder to neutralize as they quickly rebrand and reorganize, maintaining operational resilience.
Looking ahead to 2025, these shifts signal ongoing risks for organizations that fail to prioritize proactive cybersecurity measures. The continued exploitation of hypervisors and the emerging use of custom “EDR-killers” reflect a strategic focus on critical systems and a reaction to the growing sophistication of security defenses.
Moreover, the combination of extortion tactics is likely to persist, amplifying financial and reputational pressures on victims. To mitigate these evolving threats, organizations must adopt proactive defenses, including rigorous patch management, robust monitoring, advanced detection and response solutions, and the integration of threat intelligence to anticipate attacker behaviors. The lessons learned from 2024 emphasize the need for a comprehensive, layered security approach to combat the increasingly fragmented and adaptive ransomware landscape of 2025.