The surge in ransomware attacks has been attributed to the emergence of new cybercrime groups. Despite law enforcement efforts targeting major cybercrime operations, the total number of active ransomware gangs has reached 94, with 46 new entities appearing in 2024. These newcomers, including groups like RansomHub and Akira, are not merely filling the vacuum left by dismantled organizations, but are instead transforming cyber threats with increasingly sophisticated tactics.
RansomHub, for instance, has made a significant impact, surpassing even established groups like LockBit in activity. This emerging group has capitalised on fragmented legacy operations, capitalizing on the disruption caused by law enforcement actions against major ransomware groups. “Overall, RansomHub’s emergence can be attributed to the dynamic between RaaS and law enforcement operations,” according to the NCC Group’s 2024 report, highlighting the fluid nature of the ransomware ecosystem.
The rise of new players has reshaped the threat landscape, with groups like Lynx and FOG employing double-extortion tactics and exploiting vulnerabilities in sectors such as education and manufacturing. The education sector has become a prime target for groups like FOG, which has carried out at least 30 intrusions via compromised SonicWall VPN accounts.
The industrial sector has also seen a significant spike in attacks, with 1,424 incidents recorded in 2024, a 15% increase from the previous year. This sector’s vulnerability to ransomware attacks is attributed to factors such as buggy, exploitable products, compromised credentials, and geopolitical tensions.
The Akira ransomware gang, another newcomer, has quickly become a key player, known for its double-extortion tactics and use of a ransomware-as-a-service (RaaS) model. Their targeted attacks are meticulously planned and executed, often leveraging vulnerabilities in VPNs and VMware ESXi.
The evolving nature of ransomware threats is a concerning trend, with new groups emerging and old ones rebranded. The influx of new players has made it challenging for law enforcement agencies to keep pace, often feeling like they are playing a game of “whack-a-mole”. As such, it is crucial for organisations to remain vigilant and proactive in their cybersecurity efforts to mitigate these persistent threats.
A relentless wave of ransomware attacks has engulfed organisations worldwide, with U.S. incidents skyrocketing 149% in early 2025 compared to the previous year, according to data from Cyble. This surge is part of a broader global trend that sees an average of 4,000 attacks daily across the globe. Cybercriminals are becoming increasingly sophisticated in their approach, leveraging AI to enhance their attacks and make them more complex. In recent months, experts have warned that the integration of AI technologies in business processes could expose vulnerabilities that are exploited by malicious actors.
The landscape has shifted dramatically, with 31 new ransomware groups emerging in 2024, bringing the total number of active gangs from 62 to 94. While RansomHub dominated the scene last year, they’ve now dropped to fifth place as groups like CL0P and Akira take centre stage. This shift comes as law enforcement crackdowns on major players have created opportunities for new criminal organisations to fill the void.
As noted by the NCC Group: “Targeting major players has forced affiliates to find the next best operator who can provide them with the best software and commission”.
Ransomware attacks are most commonly initiated through email phishing campaigns, which remain the preferred entry point for attackers. They also exploit RDP vulnerabilities and software weaknesses, with Windows-based systems being their primary target, accounting for 93% of ransomware attacks. Organisations that generate over $5 billion in revenue face a staggering 67% attack rate.
When organisations are hit by ransomware, they’re looking at an average cost of $1.85 million to recover. However, there’s some good news – 90% of attacks either fail or result in no financial losses for the victim.
But organisations can’t let their guard down, as these incidents typically take 49 days longer than average security breaches to identify and contain.
Experts predict annual victim costs to reach $265 billion by 2031, with cryptocurrency values making attacks more profitable. “Attacks have become more profitable due to increasing cryptocurrency values further escalating these threats,” notes the NCC Group. This evolving threat demands vigilance and robust cybersecurity measures to mitigate the risks.
