The Most Prolific Ransomware Groups to be Aware of Now

Tracking ransomware groups

In 2024 we saw an 11% rise in listed ransomware victims versus 2023, and a 38% increase of ransomware groups listing ransomware victims. While our findings demonstrate that ransomware is clearly on the rise and organizations should tighten and step up their cybersecurity efforts, unfortunately it’s not just enough for organizations to simply be aware of the threat.

Organizations need to start to narrow down the groups that are most likely to impact them based on their activity and victimology. This means they then have the intelligence on their capabilities, tactics, techniques, procedures (TTPs), and tools and can apply these learnings to their defensive measures.

In this blog we take a look at the five groups that we identified as most active at the beginning of 2025 and give an update on some of their key activities in this year.

RansomHub

RansomHub took the number one spot by listed victims last year, despite only emerging in February 2024. Its quick rise to prominence can be explained by a number of factors. Firstly, like a number of emerging ransomware groups, it isn’t strictly speaking “new”. RansomHub has been tied to Knight ransomware, which stopped operating just as RansomHub emerged in February 2024. It is also suspected to have taken on former affiliates of BlackCat and LockBit.

Like many of the large ransomware-as-a-service operations, RansomHub’s victimology appears to be indiscriminate towards industries, although (as with many ransomware groups) there is a clear concentration of victims in the United States. The ransomware landscape is fickle and – as our stats show – new groups can disappear just as quickly as they emerge. However, RansomHub’s pedigree, popularity, and prolificity certainly make it a group that all security professionals should be watching in 2025, although there has been some turmoil.

Earlier this year RansomHub appeared to be facing internal conflict as some of its affiliates reportedly lost access to the gang’s chat portals. A number of affiliates were cut off from RansomHub’s channels with victims on April 1 because of the internal conflict. This led to cybercriminals moving negotiations to other channels, including the platforms of other RaaS groups.

As well as the infighting, some members shared their confusion on dark web cybercrime forum RAMP, where a rival ransomware group called DragonForce claimed that RansomHub had partnered with them and migrated their infrastructure. DragonForce made an announcement on the RAMP cybercrime forum stating that it had become partners with RansomHub and would merge their infrastructure.

It remains unclear whether this claim is correct or whether this is another hostile action of DragonForce against a fellow ransomware group. The announcement was met with various reactions from multiple cybercriminals, some expressing concern or asking why the administrator of RansomHub, known as “koley”, failed to disclose anything about the situation.

LockBit

Thanks to the efforts of Operation Cronos, the security industry and law enforcement know considerably more about LockBit now than they did this time last year. As part of the operation, the National Crime Agency claimed that it has accessed LockBit’s source code, 1,000 decryption keys, and a “vast amount of intelligence” from its systems. Law enforcement agencies subsequently published information on LockBit’s capabilities and operations, including details of its data exfiltration tool Stealbit, data about its affiliates, and – most dramatically – naming one individual that they believe to be the leader of the LockBit group.

Russian national Dmitry Khoroshev has been charged by the U.S. Department of Justice as being the creator, developer, and administrator of LockBit that operates under the dark web aliases of LockBit and LockBitSupp.

In spite of Khoroshev’s indictment and the considerable disruptive impact of Operation Cronos on LockBit’s infrastructure and reputation, the group has continued to attack victims – although at a much diminished rate. LockBit’s total victim count for 2024 was less than half of 2023, demonstrating the effect that coordinated international law enforcement can have in tackling one of the greatest threats impacting businesses.

However, it does have to be recognized that LockBit’s inclusion in the top five ransomware groups of last year means that it remains a persistent threat. LockBit continues to list victims, recruit affiliates, and try to reclaim its reputation on dark web forums. Although, law enforcement has been further making progress in bringing LockBit associates to justice.

In March the U.S. Justice Department announced that a LockBit ransomware developer that had been arrested in Israel in 2024 has been extradited to the United States, where he faces charges related to his role in the LockBit’s operation.

Rostislav Panev is a Russian and Israeli national and has been accused of helping develop the LockBit ransomware, which he allegedly admitted after he was taken into custody by Israeli authorities in August 2024.

Authorities have accused him of working on the LockBit malware between June 2022 and February 2024, for which he received circa $10,000 worth of cryptocurrency per month, leading to a total of $230,000 for his work, according to the DoJ. Panev is said to have admitted that he did coding, development and consulting work for the LockBit group, and has been found exchanging private messages on a cybercrime forum with LockBitSupp, LockBit’s main administrator, Dmitry Yuryevich Khoroshev.

Play

Play ransomware has been active since June 2022 and is named after the “.play” extension it appends to the files it encrypts. It has been noted that tactics used by Play are shared by fellow ransomware operations Nokoyawa and Hive, suggesting a connection between the operations. There is also evidence that Play ransomware shares some of its infrastructure for staging attacks with the Quantum RaaS group. In July 2024 Trend Micro researchers observed that the Play ransomware group had introduced a Linux variant of its malware that specifically targets VMWare ESXi environments.

In October 2024, security researchers at Palo Alto’s Unit 42 published evidence of a deployment of Play ransomware by a threat actor backed by North Korea, known by a number of aliases including Jumpy Pisces, Andariel, and APT45. The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks.

Play has this year been observed deploying EDR killers. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in August 2024.

EDRKillShifter uses a tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a vulnerable driver to terminate security solutions protecting the endpoints. The bespoke tool developed by the operators of RansomHub and offered to its affiliates, which isn’t something that usually happens and is being used in other ransomware attacks associated with the likes of Play.

It’s suspected that these ransomware attacks have been carried out by the same threat actor, known as QuadSwitcher, who is likely involved with or related to Play.

Akira

Listed as one of our “groups to watch in 2024” in last year’s report, Akira has lived up to our expectations in terms of its victim output. The group claimed more than 30 victims on its dark web leak site in one day in November 2024. First observed in March 2023, Akira originally used a novel ransomware strain, written in C++, with versions targeted both at Windows machines and Linux operating systems. However, a joint cybersecurity advisory issued on Akira in April 2024 noted that the ransomware group had also been observed deploying Megazord, using Rust-based code which encrypts files with a.powerranges extension.

The advisory also warned that Akira has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. The group is known to leverage known vulnerabilities in VPN appliances to gain initial access to its target, who typically reside in the commercial and professional services, capital goods, education, and software & services industries.

Following our report at the beginning of the year, there have been two big developments with Akira. Firstly, cybersecurity researchers discovered a technique being used by the Akira ransomware gang that allowed them to access unsecured webcams to encrypt systems within a target’s network, bypassing Endpoint Detection and Response (EDR).

The IoT device was running a lightweight Linux OS, that was the perfect target for Akira’s Linux ransomware variant. The lack of monitoring allowed the attacker to deploy ransomware, unnoticed and then successfully encrypted files across the network.

On the other hand, a security researcher has released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free. Yohanes Nugroho developed the decryptor after helping a friend, judging the encrypted system solvable within a week, based on how Akira generates encryption keys using timestamps.

The project took Nugroho three weeks and he spent $1,200 on GPU resources to crack the encryption key. The researcher noted in his write-up that GPU experts could still optimize his code, so performance can likely be improved.

Hunters International

Hunters International has been active since October 2023 but – as with RansomHub – it should be noted that the group did not appear in a vacuum. There are clear code similarities between Hunters International and the ransomware used by Hive, a RaaS group that was dramatically shut down in January 2023 after a seven month covert infiltration and disruption campaign executed by law enforcement. Hunters International has denied being a rebrand of Hive, instead claiming to have acquired the defunct group’s source code and infrastructure. Either way, this case once again demonstrates the links between different groups and the difficulty in eradicating any particular ransomware strain for good.

Its first full year in operation, noteworthy victims of the group in 2024 included the London branch of the Industrial and Commercial Bank of China (ICBC), Japanese optics giant Hoya, and Namibia’s state-owned telecoms company Telecom Namibia.

The group also claimed an attack on the U.S. Marshals Service on its dark web leak site, although this was disputed by the law enforcement agency. In August 2024, researchers at Quorum Cyber also published research on a Remote Access Trojan (RAT) used by Hunters International to “achieve initial infection, elevate their privileges on compromised systems, execute PowerShell commands, and eventually deploy the ransomware payload.”

In April it was reported that Hunters International were pivoting from their current ransomware services to data extortion. Threat intelligence researchers revealed the Hunters International remained active despite announcing on November 17, 2024, that it was shutting down due to declining profitability and increased government scrutiny.

Since then, Hunters International has launched a new extortion-only operation known as “World Leaks.” The new tool seems to be an upgraded variant of the Storage Software exfiltration tool that Hunters International’s ransomware affiliates also use.

Preventing ransomware attacks

To help prevent ransomware attacks, organizations must monitor ransomware groups to understand their TTPs. Getting under the skin of a ransomware group and knowing the industries they target, the types of organizations they want to infiltrate, how, and when they are most likely to perform ransomware attacks, gives security teams the power to prepare for attacks.

Dark web monitoring is one way that organizations can take a more proactive approach to preventing ransomware by identifying warning signs of an imminent attack. For example, monitoring Initial Access Broker (IAB) posts on dark web hacking forums. An IAB is a specific type of cybercriminal whose aim is to exploit vulnerabilities, gain access to a business’ network, and sell it onto other cybercriminals. Monitoring these posts can give organizations an early warning that they are the target.

If an organization spots an IAB post that matches their profile they can then begin an investigation into whether they have been compromised, before the ransomware group has had the opportunity to exploit the vulnerability. The IAB post will also often provide details of the compromise, providing security teams with a starting point for their incident response.