Site icon Check Point Blog

Ransomware’s Evolving Threat: The Rise of RansomHub, Decline of Lockbit, and the New Era of Data Extortion

1.Introduction

The ransomware landscape is witnessing significant changes, with new actors like RansomHub rising to prominence, while previously dominant groups such as Lockbit experience a sharp decline. Ransomware remains the most pervasive cyber threat, with financially motivated criminal groups deploying increasingly sophisticated tactics, including Ransomware-as-a-Service (RaaS) models and double extortion. This report, based on Check Point Research’s (CPR) September 2024 analysis, provides an in-depth review of the current ransomware trends, key actors, and their impact on sectors such as industrial manufacturing, education, and healthcare.

This evolution in tactics, coupled with the growing capabilities of emerging groups, poses significant challenges for organizations worldwide. The report aims to provide insights into these developments and offer guidance on how enterprises can better protect themselves against ransomware attacks.

Figure 1 – Ransomware shame-sites victim analysis by threat actor, September 2024.

2.Key Findings

The key findings from Check Point Research (CPR) highlight the ongoing shift in the ransomware ecosystem, where newer actors are gaining ground while traditional powerhouses face declining influence. The September 2024 statistics reflect not only a change in the actors but also the continuous change in the strategies employed by these groups.

2.1.RansomHub’s Ascendancy

RansomHub, a relatively new player that emerged in February 2024, has quickly risen to dominate the ransomware landscape. The group has achieved significant success by operating under a RaaS model, allowing affiliates to carry out attacks using its tools and infrastructure.

Figure 2 – RansomHub remote-encryption feature announcement on a darkweb forum.

In September 2024, RansomHub accounted for 19% of all ransomware victims, with 74 new victims, marking a slight increase from 72 in August 2024.

Figure 3 – RansomHub victims over time

RansomHub’s growth can be attributed to its use of advanced technological capabilities, such as remote encryption, which enables affiliates to encrypt local data without running local encryption processes, what makes its detection and prevention more complicated.

Figure 4 – Analysis of RansomHub’s reported victims by country, September 2024.

2.2.Lockbit’s Decline

Once responsible for 40% of all ransomware victims during 2022-2023, Lockbit has seen its operational capabilities plummet in recent months. In September 2024, the group accounted for just 5% of victims, with 20 new cases, down sharply from its peak activity in previous years.

A significant portion of Lockbit’s September claimed victims—approximately 40%—were recycled from previous attacks. This means that Lockbit either re-posted victims from earlier attacks or claimed victims already extorted by other ransomware groups. The recycling of victims is likely an attempt to maintain the appearance of ongoing activity following a major law enforcement crackdown in February 2024.

Figure 5 – Lockbit claimed victims’ data.

2.3.Meow Ransomware: Shifting to Data Extortion

Meow ransomware first appeared in late 2022 and initially followed the typical encryption-based attack model. However, in recent months, the group has shifted its focus toward data theft and extortion, abandoning encryption in favor of selling stolen data.

Figure 6 – Data offered for sale on the Meow Onion site.

2.4.Play Ransomware and Qilin’s Steady Activity

Play ransomware ranked second in September 2024, with 43 new victims, which is in line with its monthly average of 32 victims. Play continues to target U.S.-based companies, with 75% of its victims located in the United States, focusing primarily on the manufacturing and consumer goods sectors.

Similarly, Qilin ransomware (Agenda), a Russian-speaking RaaS group, continues to focus on North American targets. In September, 86% of its victims were located in North America, particularly in the U.S. and Canada. Both groups show steady, consistent activity but remain secondary to the dominant RansomHub.

3.Sectoral Targeting of Ransomware Groups

Figure 7- Analysis of reported ransomware victims by industry, September 2024.

3.1.Industrial Manufacturing: The Most Targeted Sector

The industrial manufacturing sector remains the most attacked by ransomware groups. In September 2024, RansomHub and Play ransomware directed a significant portion of their attacks at manufacturing companies, particularly in the United States.

3.2. Education: A Growing Target

The education sector has become a key target for ransomware groups, second only to industrial manufacturing.

3.3. Healthcare: A Persistent Target Despite Public Statements

Despite some ransomware groups publicly stating that they avoid targeting healthcare organizations, RansomHub attacked 10 healthcare institutions in September 2024. These attacks included community clinics and surgical centers, demonstrating that affiliates are often not bound by these promises.

4.Geographical Distribution of Ransomware Attacks

Ransomware attacks remain concentrated in North America, with 48% of all victims in September 2024 located in the United States. This is consistent with trends from previous months, where U.S.-based organizations have been the primary targets for ransomware actors.

Figure 8 – Analysis of reported ransomware victims by country, September 2024.

5.Tactical Shifts: From Encryption to Data Extortion

One of the most significant changes observed in 2024 has been the shift in ransomware tactics, with many groups moving away from encryption-based attacks toward data theft and extortion. 

5.1. Data Theft as the New Revenue Model

Traditional encryption-based attacks, while still effective, have been increasingly countered by companies through the implementation of backup systems that mitigate the damage caused by data encryption. In response, ransomware groups like Meow have pivoted to stealing sensitive data and threatening to release it unless ransoms are paid.

5.2. The Challenges of Data Extortion for Enterprises

This shift toward data extortion presents a new challenge for enterprises. Even if data is backed up, the leakage of sensitive information can still cause significant reputational damage and result in legal liabilities. Organizations are now forced to balance the cost of paying a ransom with the risk of having their data exposed publicly.

6.What This Means for Enterprises

The findings from Check Point Research have far-reaching implications for businesses across sectors. As ransomware tactics evolve, companies must adjust their cyber security strategies to remain resilient.

6.1. Increasing Ransomware Sophistication

Ransomware groups like RansomHub are leveraging new tactics such as remote encryption and take to the heights the RaaS business models to scale their operations. Enterprises can no longer rely on traditional defenses to protect their systems.

6.2. Data Theft and Extortion Require Comprehensive Solutions

The shift from encryption to data extortion highlights the need for companies to focus on securing sensitive data, not just protecting against encryption-based attacks.

6.3. Sector-Specific Cyber security Strategies

Industries like industrial manufacturing, education, and healthcare are particularly vulnerable to ransomware attacks. These sectors must invest in tailored cyber security solutions to address their specific challenges.

6.4.The Importance of AI-Driven Defenses

As ransomware tactics continue to evolve, companies must adopt AI-driven security solutions to defend against these emerging threats. AI-powered systems can automatically detect and neutralize threats based on behavior patterns, significantly reducing the risk of a successful attack.

Conclusion: The Future of Ransomware and What It Means for Enterprises

The September 2024 Ransomware Status Report reveals a rapidly evolving ransomware landscape marked by more complex and dangerous tactics. RansomHub’s rapid rise, Lockbit’s decline, and the shift to data extortion by groups like Meow indicate that ransomware is becoming more difficult to prevent and mitigate. These changes demand a stronger focus on safeguarding data rather than relying solely on preventing breaches.

Ransomware has transitioned into an organized, scalable business model via Ransomware-as-a-Service (RaaS), where even low-skilled cybercriminals can launch sophisticated attacks. Global affiliate networks have democratized cybercrime, driving an alarming increase in attack volume. For enterprises, this shift means facing an ever-growing threat from a global marketplace of cybercriminals.

As groups like Meow prioritize data theft and extortion, even the most prepared companies with solid backup strategies remain vulnerable. Data can be stolen and sold, causing significant reputational and legal damage. To counter this, businesses must go beyond traditional backups and implement data-loss prevention (DLP) systems, enhanced encryption, and stringent access control policies. AI-driven threat detection is also crucial in combating modern ransomware tactics.

Lockbit’s decline serves as a reminder of the competitive and volatile nature of cybercrime. Although diminished, it has been replaced by groups like RansomHub, demonstrating that vigilance and real-time threat intelligence are essential to stay ahead of emerging threats.

To defend against this new wave of ransomware, enterprises must adopt AI-driven security solutions and implement zero-trust architectures. AI systems are vital for detecting and mitigating ransomware in real-time, while zero-trust ensures that no user or device is trusted by default, preventing further damage if a breach occurs.

Certain industries, like industrial manufacturing, healthcare, and education, are particularly vulnerable. These sectors need tailored solutions to secure legacy systems and protect sensitive data. In healthcare, ransomware is not just a cyber security threat—it can disrupt critical services, making automated incident response and real-time monitoring essential.

The future of ransomware shows no signs of slowing down. Enterprises must adopt proactive cyber security strategies, including AI-driven defenses and zero-trust models, to survive in this ever-changing threat landscape. Those that invest in real-time threat intelligence and comprehensive data protection will be the ones to withstand these evolving challenges.

By implementing these solutions, organizations can navigate the next generation of cyber threats and maintain resilience in an increasingly hostile environment.

Exit mobile version