Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Who are the Top 10 Ransomware Groups in 2024?

The list of top ransomware groups changes yearly. Some groups that faced immense pressure from global law enforcement agencies became less active. Additional groups rose as a shadow of previous successful ransomware gangs to become even bolder than their predecessors. 


Most ransomware groups originate in well-known hacker incubation countries, including Russia, North Korea, Iran, Nigeria, Vietnam, and Pakistan. Many attacks specialize in Ransomware-as-a-Service (RaaS), double extortion, or explicitly targeting one vertical market like healthcare. 


This article highlights which ransomware groups fall into the top 10 list for 2024, the country of origin, what methods they use, and what vertical markets they focus on—knowing who these hackers are becomes critical for your organizations to help better plan for their unexpected attacks. 

What is the Importance of Identifying Top Ransomware Groups?

This constant cycle of new ransomware-as-a-service (RaaS) players continues to alter their methods and preferred targets. Ransomware groups, like any other technology service, vary in motive, method, and an element of uncertainty in the exploitation of vulnerabilities. Knowing who they are, their tactics, which vertical markets they favor, and what country they are in is valuable intelligence for a CISO and CIO.

Knowing this background information helps organizations decide which markets to operate in or what products to bring. What is the risk to the organization if entering a specific market like healthcare? What ransomware groups target healthcare? CEOs and the board of directors may alter future business decisions based on the risk of a ransomware attack.


Here is a Breakdown of the Top Ten Ransomware Groups and Individuals Expected to be active in 2024.


Each ransomware group shares a standard connection with others, performing similar operational disruptions, causing digital infrastructures, and becoming rich from collecting ransoms. Some of these ransomware operators may be rivals, while others form alliances. Most ransomware groups either continue as is or fade away in the dark web. 

The top ten list for 2024 below is, like many lists, a projection, not something set in stone. Ransomware attacks happen around the world every day. New ransomware groups become visible, and others dissipate or dissolve thanks to law enforcement officials. 

The list below considers past groups and individuals that may have been dismantled, arrested, maybe still on the run. In 2024, we could witness new ransomware gangs becoming bigger players, or old groups could rebrand themselves, or individuals wanted by Interpol could rise from the shadows within the dark web and become even a bigger problem for organizations.

Conti ransomware-as-a-service (RaaS) delivered several financially impactful attacks in 2022, affecting over 1000 organizations globally. This malware is delivered using the double extortion method. This strategy uses two stages. The first stage encrypts the files and holds them for ransom. After the victims pay, hackers demand another ransom payment, or they will release the documents to the public.  


The Russia-Ukraine war has been a significant factor in the Conti ransomware group going offline. However, it is uncertain whether the war directly caused this or simply played a role. The effects of this began to surface shortly after the war started in February 2022.


After Russia invaded Ukraine on February 24, 2022, the cybercriminal group known as Conti released a statement expressing support for the Russian government. They warned of retaliatory actions, including threats to critical infrastructure, in response to any cyberattacks or “war activities,” without specifying specific targets. In 2024, Conti continues to be active as the war between Russia and Ukraine enters its third year

This notorious ransomware group used email phishing attacks and malicious links to deploy their Sodinokibi malware to take control of a computer until the ransom was paid. In 2022, Russian authorities reported they had fully dismantled the REVil group along with charging several of their members.


Until 2024, no signs of REvil activity were reported by InfoSec firms. However, members of the group continue to be active across the globe, developing more ransomware malware. The Australian government has sanctioned Russian individual Aleksandr Ermakov for his role in the Medibank Private data breach. Ermakov has been reportedly arrested in Russia by the security firm F.A.C.C.T and charged with violating local laws regarding malicious computer programs.


F.A.C.C.T. identified various defendants during the investigation who were involved in promoting ransomware, developing custom malicious software, creating phishing sites for online stores, and directing user traffic to fraudulent schemes prevalent in Russia and the CIS.

Law enforcement agencies discovered this malicious software in 2020 on Russian-language cybercrime forums. Speculation has arisen that the group behind LockBit 3.0 is based in Russia. The group is known for its business-like operation and extensive recruitment of affiliates to deploy its malicious software.  Unlike other cybercrime groups, it operates solely for profit while remaining apolitical. 


Some notable victims of this ransomware include the United Kingdom’s Royal Mail, the Ministry of Defense, and Japanese cycling component manufacturer Shimano. Recently, data stolen from aerospace company Boeing was released after the company chose not to pay the ransom demanded by LockBit.


In 2024, the United States Justice Department and several law enforcement agencies successfully took down LockBit 3.0 globally. The Department of Justice, in cooperation with U.K. authorities and international law enforcement agencies, revealed indictments against two Russian nationals, Artur Sungatov and Ivan Kondratyev, accusing them of deploying LockBit against multiple companies in the U.S. and abroad. However, the group quickly resurfaced in the dark web with a change of tactics for a more resilient operation. 

This ransomware has become the second most widespread variant worldwide, resulting in significant ransom payments from victims. This ransomware, like many others, is developed in Rust code. Furthermore, the ALPHV/Blackcat group has admitted to carrying out recent cyberattacks on Prudential Financial and loanDepot.

The Justice Department has launched a campaign against the Blackcat ransomware group, ALPHV or Noberus. This group has targeted over 1,000 victims worldwide, including networks supporting U.S. critical infrastructure. The FBI secretly created a decryption tool to help over 500 affected victims restore their systems. In addition, the FBI has gained access to the Blackcat ransomware group’s computer network and seized several of their websites. 


However, BlackCat has regained control of its website and established a new leak website. They have also announced new threats, expanding their targets to all types of organizations, including nuclear power plants and hospitals.

A ransomware variant that emerged in February 2019 developed from CryptoMix and used as a ransomware service (RaaS) in widespread spear-phishing campaigns. It employed a verified and digitally signed binary to circumvent system defenses. It was notorious for employing the ‘double extortion’ strategy of stealing and encrypting victim data, withholding access restoration, and publishing exfiltrated data on Tor. 


The Russian group has targeted hundreds of victims, including agencies within the United States government, by extorting them with threats of publishing private data, most recently through exploiting various MOVEit vulnerabilities. The FBI and CISA offer a $10 million reward for information on the Cl0p ransomware gang.

The Akira Ransomware Group was first identified in March of 2023 and operates a Tor hidden service blog documenting targeted organizations. They reportedly share stolen files from non-compliant victims. They have become a notable ransomware threat for small to medium-sized businesses, with many alleged victims listed on their data leak sites.


Since 2023, Akira has carried out 81 cyberattacks against healthcare organizations, manufacturing, finance, and law firms. They target critical infrastructure in the U.S. There are suspicions that Akira may be linked with the former Conti ransomware gang, notorious for targeting healthcare organizations.

Rhysida Ransomware is malware used by threat actors in different industries, with confirmed instances of operating in a profit-sharing capacity. According to US agencies, gangs using the Rhysida ransomware have targeted organizations’ virtual private networks and deployed phishing attacks to gain access to systems. 


This ransomware gained attention by sharing stolen Chilean Army documents and successfully breaching healthcare institutions like Prospect Medical Holdings. The content of threat actors from the Chilean arms document and Prospect Health Holdings breach becomes displayed as low-resolution images. The hackers will attempt to sell the stolen data on their leak site with an initial bid of 20 bitcoins, equivalent to approximately £590,000.

The victim-shaming website 8Base, operated by the cybercriminal organization behind the ransomware group, inadvertently leaked significant information.  8Base is characterized as a data-extortion cybercrime operation rather than a ransomware operation. They have gained notoriety in the cyber threat landscape for the many victims reported on their data leak site.


8Base, active since March 2022, increased its activity in the summer of 2023, targeting various sectors in the United States. They engaged in double extortion tactics as an affiliate of Ransomware-as-a-Service groups, mainly targeting small to medium-sized companies.

The Black Basta Ransomware Group surfaced as a global cyber threat in April 2022 by targeting large organizations specific to the construction and manufacturing industries. The group targeted over ninety networks in North America and Europe by encrypting files and stealing data for extortion. Recently, Black Basta has shown interest in attacking critical infrastructure in the U.S.


The organization has maintained a low profile in the past year, leading to speculation that it may operate similarly to private groups like Conti, TA505, and REVil group. Instead of using widespread methods, the group takes precautions and uses targeted strategies, handpicking their victims before taking action.

Scattered Spider, known by several aliases such as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is skilled in social engineering tactics such as phishing, multi-factor authentication (MFA) bombing and SIM swapping to infiltrate large organizations. 


The group comprises young English-speaking members with varied skill sets who frequent hacker forums and Telegram channels. They have employed BlackCat/ALPHV ransomware besides their regular tactics, including double extortion, unauthorized access to sensitive files, and remote access by hackers.  One of the victims of the group is MGM Resorts International, one of the world’s largest gambling firms. This attack disrupted MGM’s operations, leading the company to shut down its IT systems. Also, sensitive customer information was exfiltrated. As a result, the company estimated about $100 million in financial impact.

What Makes Everyone a Target of Top 10 Ransomware Groups?

Everyone, regardless of what industry you are in or if you are a home internet user, becomes a ransomware target. Ransomware groups spread their attacks across specific vertical markets that deliver the most ransom without becoming detected or arrested by law enforcement. 


For example, ALPHV/Blackcat executed highly successful ransomware attacks against financial institutions like IoanDepot and Prudential. Yet CL0P and Lockbit 3.0 executed similar ransomware attacks against U.S. Government targets and members of the military-industrial complex. These groups also focus on other targets, including critical infrastructure and the U.S. Healthcare system. These victimized sectors often pay ransom demands to access their essential systems and data.

The Truth is in the Numbers

Hackers and scammers send billions of email phishing messages globally daily, creating new ransomware victims. It is estimated that close to 3.4 billion spam emails are sent daily. That number would equate to close to 48% of all emails sent daily are spam. 


Embedded within these messages are malicious links with ransomware payloads created by hackers to trick users into disclosing their credentials, downloading malware, or disclosing personal information. Somehow, someday, everyone will become a victim of ransomware.

Does Every Victim Pay the Ransom?

Organizations across several vertical markets, including education, government, healthcare, and finance, have become targeted by ransomware gangs. These organizations need access to their data to function as a business. Hackers using the latest ransomware malware attack these organizations, forcing them to pay the ransom. In 2024, many organizations may opt out of paying the ransom while leveraging backup solutions and better email phishing countermeasures to prevent the propagation of ransomware malware. 


Hackers often demand the ransom paid in Bitcoin or other cryptocurrencies. Many home users rarely have access to this type of payment. This reality makes them a lesser target for a ransomware attack. However, home user computers could be used as zombie hosts to help hackers launch attacks against much larger targets, including healthcare organizations and financial institutions. 

Becoming less of a victim of ransomware starts with a clear understanding of what you are trying to prevent. If you are more concerned about paying out the ransomware, your organization should consider cyber insurance. Suppose your top concern is to prevent ransomware from attacking your supply chain and ecosystem partners. In that case, consider a network segmentation strategy to block the ability of the ransomware to propagate laterally across your various VLANs. 


Stopping ransomware starts with a proactive strategic approach to cybersecurity protection in layers instead of a bolt-on addition to an existing legacy adaptive control. Investing in artificial intelligence (AI) and machine learning (ML) cybersecurity defensive tools is a good start, but only if you have the proper security operations team and processes to handle the incidents and threats. 


A ransomware strategy needs to cover an entire 360-degree wheel. Investing in operations without adequate adaptive controls creates targets of vulnerability for ransomware to propagate. By deploying unproven next-generation defensive tools with no in-house or managed services experience, this investment becomes a waste of capital time. 


Should you need help or advice at the board level, please contact – Cubic Consulting at Help involves personal training, risk meeting preparation, cybersecurity strategy review, etc.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.