Another banner year for ransomware gangs despite takedowns by the cops

If the nonstop flood of ransomware attacks doesn't already make every day feel like Groundhog Day, then a look back at 2024 – and predictions for 2025 – definitely will.

Last year broke previous years' ransomware records with 5,263 observed attacks - a 15 percent year-over-year jump - despite several high-profile law enforcement takedowns and arrests, according to the infosec gurus at the UK-based NCC Group today. Critical national infrastructure emerged as a prime target for these digital extortionists, and the security shop's glum outlook for 2025: More of the same.

"We expect to see a continued increase in attack numbers, in line with the incline observed since 2021," the threat intel team wrote in its 2024 report, due out this morning. "Attacks are highly likely to be directed at sectors like industrials, who have historically been vulnerable to ransomware attacks."

The industrial sector was the most targeted overall in 2024, with 1,424 observed attacks compared to 1,240 in 2023, the report notes. This represents a 15 percent increase.

Attacks have become more profitable due to increasing cryptocurrency values further escalating these threats

NCC attributes the overall increase in attacks during 2024 to several factors: Buggy, exploitable products; compromised credentials; geopolitical tensions; an increase in ransomware-as-a-service offerings, which makes it easier for less technically savvy criminals to get in the game; and a high return on investment for the crooks.

"Attacks have become more profitable due to increasing cryptocurrency values further escalating these threats," according to the authors.

Cops crack down but crooks bounce back

While international cops will continue to hunt down major ransomware operators and their infrastructure, the growing ransomware-as-a-service ecosystem will make it even easier for criminals to move from one gang to another and continue decimating businesses with these types of attacks.

LockBit was perhaps the highest-profile takedown of the year — and also responsible for the most observed ransomware infections (526) during 2024.

In February 2024, the UK's National Crime Agency, the FBI, and other international partners seized the notorious ransomware gang's website and trolled the criminals, ultimately outing the criminal org's suspected kingpin, who went by the alias LockBitSupp. 

That big cheese was sanctioned, though not yet arrested, and has apparently pledged to release LockBit 4.0 in early February. "This information is to be taken with a pinch of salt, as LockBit may be looking to maintain its notoriety," NCC noted in the report.

Still, it conceded, despite all of the "arrests, convictions, charges, and infrastructure takedowns, it has sometimes felt like law enforcement are playing a game of whack-a-mole."

Leads to more ransomware gangs

Need more proof? Look no further than BlackCat/ALPHV's website takedown, its massive Change Healthcare security breach, an alleged exit scam, and then possible rebrand, along with multiple Scattered Spider arrests and reemergence.

Law enforcement actions against ransomware gangs last year also led to the arrival of new criminal orgs, we're told. NCC tracked 62 crews in 2023. That increased to 94 last year.

Adding to the sense of whack-a-mole: RansomHub surfaced as the most active criminal gang in 2024. The group got its start in February, at the same time as the LockBit takedown, or "attempted takedown" as NCC calls it. It quickly scooped up unemployed LockBit and ALPHV affiliates, who wasted no time infecting hundreds of victims and adding them to its leak site.

• How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise
• Scattered Spider, BlackCat claw their way back from criminal underground
• Ransomware attack at New York blood services provider – donors turned away during shortage crisis
• Baguette bandits strike again with ransomware and a side of mockery

RansomHub also came in second overall with 501 known victims in 2024.

During the first half of last year, LockBit claimed 433 victims, compared to RansomHub's 123. In the second half, however, RansomHub's victim count shot to 378, compared to LockBit's 93, according to NCC.

"Overall, RansomHub's emergence can be attributed to the dynamic between RaaS and law enforcement operations," the report concludes. "Targeting major players has forced affiliates to find the next best operator who can provide them with the best software and commission."

This is yet another ransomware trend that the researchers expect to continue into 2025. NCC tells organizations they can continue to expect ransomware-as-a-service operators like RansomHub and others to continue their uptick this year. 

And while "law enforcement operations will continue," the authors note that "affiliates will create or join other ransomware operators where major players are targeted." ®