Number of active dark web ransomware groups up 38 percent in 2024

A total of 94 ransomware groups listed victims in 2024 (a 38 percent increase on 2023) with 49 new groups observed, according to a new report, reflecting further complexity in the ransomware landscape.

The study from Searchlight Cyber also finds an 11 percent increase in the number of total victims posted on ransomware leak sites in 2024 (5,728) compared to 2023 (5,081).

The five most prolific ransomware groups of 2024 were RansomHub, LockBit, Play, Akira and Hunters International, which represents a major change in the ransomware landscape. Of those five, only LockBit has been active for more than three years and RansomHub -- the most prolific group of the year -- only emerged in February 2024. Meanwhile, major groups such as BlackCat and Cl0p (ranked second and third respectively in 2023) dropped out of the rankings.

Luke Donovan, head of threat intelligence at Searchlight Cyber, says:

The major takeaway from this report is that we enter 2025 with a busier and more complex ransomware ecosystem. While we have observed disruption to some of the biggest ransomware groups, there has been an influx in smaller players, which creates challenges for security teams that are constantly trying to assess and prepare for emerging threats.

In this increasingly busy landscape, it becomes even more vital for organizations to actively apply threat intelligence to inform their defenses. Firstly, to identify commonalities in how these groups operate and prepare for the most common attack techniques. Secondly, to help them narrow down their adversaries to the four or five groups they are most likely to face, based on their activity and victimology.

The full report is available from the Searchlight site.

Image credit: Benjawan Sittidech/Dreamstime.com