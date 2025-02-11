New entrants dominate this year's top five most prolific ransomware groups

Searchlight Cyber, the Continuous Threat Exposure Management company, has released its annual report on ransomware trends from the dark web, "Same Game, New Players: Ransomware in 2025". This year's report tracks disruption to the "key players" in the ransomware landscape, an uptick in new ransomware groups operating on the dark web, and an increase in listed ransomware victims.

Key findings of the report include

A total of 94 ransomware groups listed victims in 2024 (a 38 percent increase on 2023) with 49 new groups observed, reflecting further complexity in the ransomware landscape.

posted on ransomware leak sites in 2024 (5,728) compared to 2023 (5,081). RansomHub has replaced LockBit as #1 ransomware group, after the law enforcement disruption of Operation Cronos halved LockBit's victim output last year.

The five most prolific ransomware groups of 2024 wereRansomHub, LockBit, Play, Akira and Hunters International, which represents a major change in the ransomware landscape. Of those five, only LockBit has been active for more than three years and RansomHub the most prolific group of the year only emerged in February 2024.Meanwhile, major groups such as BlackCat and Cl0p (ranked second and third respectively in 2023) dropped out of the rankings.

The report contains profiles of each of the top five ransomware groups and analysis of the change to the ransomware hierarchy that has taken place over the past 12 months. RansomHub, for example, may be a new ransomware "brand" but in actual fact has ties to other groups including Knight, BlackCat, and LockBit. This pedigree, combined with its "affiliate friendly" Ransomware-as-a-Service (RaaS) model, may explain how it has so quickly risen to prominence.

Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, commented: "The major takeaway from this report is that we enter 2025 with a busier and more complex ransomware ecosystem. While we have observed disruption to some of the biggest ransomware groups, there has been an influx in smaller players, which creates challenges for security teams that are constantly trying to assess and prepare for emerging threats.

"In this increasingly busy landscape, it becomes even more vital for organizations to actively apply threat intelligence to inform their defenses. Firstly, to identify commonalities in how these groups operate and prepare for the most common attack techniques. Secondly, to help them narrow down their adversaries to the four or five groups they are most likely to face, based on their activity and victimology."

