In 2024, a total of 5,414 ransomware attacks occurred worldwide, representing an 11% increase compared to 2023.
Following a gradual start, ransomware incidents surged in the second quarter and peaked in the fourth, accounting for 1,827 incidents—approximately 33% of the total for the year. Notably, law enforcement actions against prominent groups such as LockBit resulted in market fragmentation, paving the way for increased competition and the emergence of smaller factions. The active ransomware groups escalated by 40%, from 68 in 2023 to 95 in 2024.
Emerging Ransomware Groups
The number of newly identified ransomware groups surged from 27 in 2023 to 46 in 2024. As the year progressed, new group formations accelerated, culminating in 48 active groups by the fourth quarter.
Among these new entrants, RansomHub quickly gained significant traction, surpassing LockBit in operational capacity. The research team at Cyberint, now part of Check Point, is continuously monitoring and analyzing these evolving threats. This report will focus on three emerging players in the sector: RansomHub, Fog, and Lynx, assessing their influence in 2024 as well as their origins and operational tactics.
For more insights on other emerging groups, download the 2024 Ransomware Report here.
RansomHub’s Rise
RansomHub has positioned itself as a leading ransomware entity in 2024, reporting 531 attacks on its data leak site since its inception in February. Following the FBI’s intervention against ALPHV, RansomHub is perceived as a ‘successor’ of sorts, likely comprising some former affiliates of the disrupted group.
Functioning as a Ransomware-as-a-Service (RaaS), RansomHub mandates strict compliance with affiliate agreements, where violations lead to expulsion or cancellation of partnerships. They offer an attractive split of 90% of the ransom to affiliates.
Interestingly, while RansomHub claims a diverse hacker cohort, it strategically avoids targeting countries such as Russia, Cuba, North Korea, and China, resembling a traditional Russian ransomware model. Their decision to steer clear of Russian-affiliated nations and the overlap with other Russian groups may signal deeper ties within the cybercriminal ecosystem.
Cyberint’s findings as of August 2024 reveal a concerning trend: only 11.2% of victims opted for ransom payment (20 out of 190). Many negotiations resulted in reduced demands. RansomHub emphasizes the volume of attacks over payment rates as a strategy to achieve long-term profitability despite lower individual payment success rates.
Malware, Toolset, and Techniques
RansomHub’s malware, crafted in Golang and C++, targets various platforms, including Windows, Linux, and ESXi, renowned for its rapid encryption capabilities. The resemblance to GhostSec’s malware indicates a potential emerging trend.
The group provides guarantees of free decryption if affiliates fail to deliver it after payment or target restricted organizations. Their ransomware encrypts data prior to exfiltration. Attack patterns suggest possible affiliations with ALPHV, indicating the use of similar tools and tactics. Research from Sophos highlights notable similarities with Knight Ransomware, especially in the use of Go-language payloads obfuscated with GoObfuscate.
Fog Ransomware
Fog ransomware made its debut in early April 2024, primarily targeting U.S. educational networks through compromised VPN credentials. Their double-extortion method involves publishing stolen data on a Tor-based site if victims refuse to pay.
Throughout 2024, Fog attacked 87 organizations globally. A report from Arctic Wolf published in November 2024 indicated that Fog had executed at least 30 breaches, all initiated via compromised SonicWall VPN accounts. Approximately 75% of these intrusions were linked to Akira, while the remainder was attributed to Fog, suggesting either shared infrastructure or cooperation among the groups.
Focus areas for Fog include education, business services, travel, and manufacturing, particularly within the U.S. It is notable that Fog prioritizes educational institutions as its primary target.
Fog ransomware has shown alarming efficiency, with the quickest recorded time from initial access to encryption being a mere two hours. Their attacks follow a conventional ransomware lifecycle involving network enumeration, lateral movement, encryption, and data exfiltration, with versions available for both Windows and Linux environments.
Indicators of Compromise (IOCs)
| Type | Value | Last Observation Date |
| IPv4 Address | 107.161.50.26 | Nov 28, 2024 |
| SHA-1 | 507b26054319ff31f275ba44ddc9d2b5037bd295 | Nov 28, 2024 |
| SHA-1 | e1fb7d15408988df39a80b8939972f7843f0e785 | Nov 28, 2024 |
| SHA-1 | 83f00af43df650fda2c5b4a04a7b31790a8ad4cf | Nov 28, 2024 |
| SHA-1 | 44a76b9546427627a8d88a650c1bed3f1cc0278c | Nov 28, 2024 |
| SHA-1 | eeafa71946e81d8fe5ebf6be53e83a84dcca50ba | Nov 28, 2024 |
| SHA-1 | 763499b37aacd317e7d2f512872f9ed719aacae1 | Nov 28, 2024 |
| SHA-1 | 3477a173e2c1005a81d042802ab0f22cc12a4d55 | Feb 02, 2025 |
| SHA-1 | 90be89524b72f330e49017a11e7b8a257f975e9a | Nov 28, 2024 |
| Domain Name | gfs302n515.userstorage.mega.co.nz | Nov 28, 2024 |
| SHA-256 | e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3 | Aug 20, 2024 |
Lynx Ransomware
Lynx has been active recently, employing a double-extortion model and showcasing numerous victim organizations on their site. This group claims to deliberately avoid targeting governmental bodies, healthcare facilities, and essential social services.
Upon breaching a system, Lynx encrypts files with the “.LYNX” extension and distributes a ransom note titled “README.txt” across multiple directories. In 2024, Lynx reported over 70 victims, affirming its persistent presence in the ransomware threat landscape.
Indicators of Compromise (IOCs)
| Type | Value | Last Observation Date |
| MD5 | e488d51793fec752a64b0834defb9d1d | Sep 08, 2024 |
| Domain Name | lynxback.pro | Sep 08, 2024 |
| Domain Name | lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion | Sep 08, 2024 |
| Domain Name | lynxblog.net | Sep 08, 2024 |
| IPv4 Address | 185.68.93.122 | Sep 08, 2024 |
| IPv4 Address | 185.68.93.233 | Sep 08, 2024 |
| MD5 | 7e851829ee37bc0cf65a268d1d1baa7a | Feb 17, 2025 |
Outlook for 2025
As authorities intensify their efforts against ransomware groups, a record number of new entities have emerged, eager to establish their presence in the landscape. Projections for 2025 suggest that several of these newer factions will bolster their capabilities, vying to become more prominent players alongside RansomHub.
For a thorough analysis of targeted industries and countries, insights into the top three ransomware factions, notable ransomware families, recent arrests, and forecasts for 2025, refer to Cyberint’s comprehensive 2024 Ransomware Report.
