The World’s Biggest Ransomware Groups of 2024

Ransomware attacks have surged in both frequency and sophistication, posing severe threats to businesses, governments, and individuals.

These attacks often lead to significant financial losses and operational disruptions. Ransomware groups operate like well-oiled corporations, utilizing advanced strategies and technologies to maximize their impact. In 2024, several groups have emerged as particularly formidable. Here, we explore the top ransomware groups that dominate the landscape today. As revealed by ExpressVPN's research, understanding the methods and operations of these groups is essential for developing effective defense strategies against ransomware attacks.

BlackBasta

BlackBasta made its entrance in early 2022 and quickly established itself as a major threat. Believed to be a spinoff from Conti, the group benefited from the experience of its members, who were involved in high-profile attacks like the one on the Costa Rican government. BlackBasta is notorious for its double extortion tactics, which involve demanding ransom for both decrypting data and preventing the release of stolen information. Last year, the group allegedly extorted at least $107 million in Bitcoin, laundering the funds through the cryptocurrency exchange Garantex.

BlackCat (ALPHV)

BlackCat, also known as ALPHV or Noberus, surfaced in November 2021, reportedly formed by former members of the now-defunct Darkside group. BlackCat's malware targets both Windows and Linux systems and employs a triple-extortion strategy. This approach includes ransom demands for decrypting files, promises not to leak stolen data, and threats of distributed denial-of-service (DDoS) attacks. The group has attacked over 1,000 victims worldwide, including significant breaches at OilTanking GmbH and Swissport, where it captured 1.6TB of sensitive data.

Clop

Clop, also known as Cl0p, is a prominent ransomware group known for its sophisticated, multilayered extortion schemes. The group’s attacks typically result in encrypted files with the “.clop” extension. Clop targets a variety of sectors, including finance, healthcare, and education. Recently, Clop exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer, leading to a widespread attack that affected numerous organizations, including the public school system in New York City and a UK-based HR solutions company.

LockBit

LockBit, established in 2019, has quickly become one of the most prolific ransomware groups. Operating under a Ransomware-as-a-Service (RaaS) model, LockBit provides sophisticated malware and attack infrastructure to affiliates, who execute the attacks and share the profits. The group has received over $120 million in ransom payments, targeting sectors like energy, manufacturing, government, healthcare, and education. Despite recent law enforcement actions that resulted in the seizure of their websites and servers, LockBit remains a significant threat.

REvil

REvil, also known as the Sodinokibi ransomware group, operates under a RaaS model, leasing out malicious software to affiliates who target businesses and individuals. The group demands ransom payments to decrypt data and runs a dark web marketplace, Happy Blog, where they threaten to publish stolen data. REvil has targeted high-profile victims, including Apple. Despite international law enforcement efforts to disrupt their activities, the group's methods continue to pose a significant threat.

To Sum Up

Ransomware groups in 2024 have evolved into sophisticated entities that pose severe threats across various sectors. With their advanced tactics and substantial financial gains, these groups continue to challenge cybersecurity measures worldwide. It is crucial for organizations to stay vigilant and implement robust security practices to mitigate the risks posed by these formidable adversaries.