The New Ransomware Groups Shaking Up 2025

In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023.

After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incidents (33% of the year’s total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95 in 2024.

New Ransomware Groups to Watch

In 2023 there were just 27 new groups. 2024 saw a dramatic rise with 46 new groups detected. As the year went on the number of groups accelerated with Q4 2024 having 48 groups active.

Of the 46 new ransomware groups in 2024, RansomHub became dominant, exceeding LockBit’s activity. At Cyberint, now a Check Point Company, the research team is constantly researching the latest ransomware groups and analyzing them for potential impact. This blog will look at 3 new players, the aforementioned RansomHub, Fog and Lynx and examine their impact in 2024 and delve into their origins and TTPs.

To learn about other new players download the 2024 Ransomware Report here.

Ransomhub

RansomHub has emerged as the leading ransomware group in 2024, claiming 531 attacks on its Data Leak Site since commencing operations in Feb 2024. Following the FBI’s disruption of ALPHV, RansomHub is perceived as its ‘spiritual successor,’ potentially involving former affiliates.

Operating as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, and RansomHub enforces strict adherence to affiliate agreements, with non-compliance resulting in bans and termination of partnerships. It offers a 90/10 ransom split, Affiliates/Core Group.

While claiming a global hacker community, RansomHub avoids targeting CIS nations, Cuba, North Korea, China, and non-profits, exhibiting characteristics of a traditional Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with other Russian ransomware groups in targeted companies further highlight their likely connections to Russia’s cybercrime ecosystem.

Cyberint’s August 2024 findings indicate a low payment rate: only 11.2% of victims paid (20 of 190), with negotiations often reducing demands. RansomHub prioritizes attack volume over payment rates, leveraging affiliate expansion to ensure profitability, with the goal of generating substantial revenue over time despite low individual payment success.

Malware, Toolset & TTPS

RansomHub’s ransomware, developed in Golang and C++, targets Windows, Linux, and ESXi, distinguished by its fast encryption. Similarities to GhostSec’s ransomware suggest a trend.

RansomHub guarantees free decryption if affiliates fail to provide it post-payment or target prohibited organizations. Their ransomware encrypts data before exfiltration. Potential ties to ALPHV are suggested by attack patterns, indicating similar tools and TTPs could be used.

Sophos research highlights parallels with Knight Ransomware, including Go-language payloads obfuscated with GoObfuscate and identical command-line menus.

Fog Ransomware

Fog ransomware appeared in early April 2024, targeting U.S. educational networks by exploiting stolen VPN credentials. They use a double-extortion strategy, publishing data on a TOR-based leak site if victims don’t pay.

In 2024, they attacked 87 organizations globally. An Arctic Wolf report from November 2024 showed Fog initiated at least 30 intrusions, all via compromised SonicWall VPN accounts. Notably, 75% of these intrusions were linked to Akira, with the rest attributed to Fog, suggesting shared infrastructure and collaboration.

Fog primarily targets education, business services, travel, and manufacturing, with a focus on the U.S. Interestingly, Fog is one of the few ransomware groups that prioritize the education sector as their primary target.

Fog ransomware has demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours. Its attacks follow a typical ransomware kill chain, encompassing network enumeration, lateral movement, encryption, and data exfiltration. Versions of the ransomware exist for both Windows and Linux platforms.

IOCs

Lynx

Lynx is a double-extortion ransomware group that has been very active lately, displaying many victimized companies on their website. They state that they avoid targeting government organizations, hospitals, non-profit groups, and other essential social sectors.

Once they gain access to a system, Lynx encrypts files, appending the “.LYNX” extension. They then place a ransom note named “README.txt” in multiple directories. In 2024 alone, Lynx claimed more than 70 victims, demonstrating their continued activity and significant presence in the ransomware landscape.

IOCs

What’s to Come in 2025?

Due to the crackdown on ransomware groups, the most new groups on record have appeared, seeking to make a name for themselves. In 2025, Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players, not just RansomHub.

Read Cyberint, now a Check Point Company’s 2024 Ransomware Report for the top targeted industries and countries, a breakdown of the top 3 ransomware groups, ransomware families worth noting, newcomers to the industry, arrests and news, and 2025 forecasts.

Read the 2024 Ransomware Report to Gain Detailed Insights and More.

About The Author

[email protected] The Hacker News

See author's posts

Original post here