RansomHub dethrones LockBit as top ransomware cartel


LockBit’s reign of terror has waned following a law enforcement crackdown. However, a new contender has quickly filled the gap. RansomHub, which emerged in February, claimed nearly a fifth of all ransomware victims in September, 2024.

The ransomware ecosystem is being shaken by an ongoing shift, with new actors gaining ground as the established groups' influence declines. This leaves the threat landscape even more complex and dangerous.

In September, ransomware gangs posted 392 victims on their extortion sites. And it was RansomHub that took the lion's share, 19%, or 74 victims, the report reveals.

ADVERTISEMENT

The second most active ransomware gang was Play, with 43 victims claimed, which is in line with its monthly average of 32 victims.

This was followed by Qilin (23), Medusa (21), and the former king LockBit, which posted 20 victims.

In 2022 and 2023, LockBit was responsible for 40% of all ransomware victims, but the cartel's capabilities have recently plummeted to just 5%. And four out of the ten claimed victims were “recycled from previous attacks.”

This signals that the gang was likely attempting to appear active following a major law enforcement crackdown.

In May, LockBit’s leader was exposed in an FBI breakthrough, and six members were charged for their participation. In October, the gang took another massive hit when authorities seized its critical servers and arrested four members.

What is RansomHub?

A relatively new player, RansomHub, has quickly risen to prominence, prompting US cyber authorities to release a joint advisory in August. By that time, the gang had already infiltrated more than 200 organizations, and its activity only increased in the following months.

RansomHub was thought to be connected to ALPHV, another notorious ransomware gang.

ADVERTISEMENT

“The group has achieved significant success by operating under a ransomware-as-a-service model, allowing affiliates to carry out attacks using its tools and infrastructure,” Check Point said.

ransomhub-victims

In September, half of its attacks landed in the US and Canada, with 43% and 4%, respectively. The gang is primarily interested in industrial manufacturing and healthcare. Despite the stated policy of avoiding healthcare organizations, RansomHub attacked clinics and surgical centers, “suggesting loose oversight over affiliates,” Check Point assesses.

RansomHub brought some technological innovations to the table. Its tools are capable of remote encryption. The affiliates exploit exposed unprotected machines, reducing the risk of detection and increasing the success rate of attacks.

In its extortion site on the dark web, RansomHub claims that it’s “only interested in dollars” but also states it does “not allow CIS (Commonwealth of Independent States, consisting of Russia and their allies), Cuba, North Korea, and China to be targeted.”

The ransomware operator asks for a 10% share from its affiliates. They rely on double extortion tactics, threatening to publicly release the encrypted information if the victim refuses to pay.

Among the claimed RansomHub victims were laptop maker Clevo, Christie’s auction house, and Frontier, the 4th largest high-speed internet provider in the US, covering 25 states.

Niamh Ancell BW Ernestas Naprys jurgita vilius
Don’t miss our latest stories on Google News

Low-skilled cybercriminals launch sophisticated attacks

Last year marked a shift from encryption-based attacks to ransomware gangs relying on data theft and extortion models. With ransomware gangs now prioritizing data theft over encryption, even solid backup strategies will not protect the companies from reputational or legal damages.

ADVERTISEMENT

“Ransomware has transitioned into an organized, scalable business model via ransomware-as-a-service, where even low-skilled cybercriminals can launch sophisticated attacks. Global affiliate networks have democratized cybercrime, driving an alarming increase in attack volume,” Check Point’s report warns. “The future of ransomware shows no signs of slowing down.”

Industrial manufacturing, healthcare, and education remain the most vulnerable industries. Ransomware gangs exploit reliance on legacy systems, complex supply chains, vast networks, and critical data.

Check Point believes that companies must adopt AI-driven security solutions, capable of automatically detecting and neutralizing threats, “while zero-trust ensures that no user or device is trusted by default, preventing further damage if a breach occurs.