Full Report
In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023. After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incidents (33% of the year's total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95
Analysis Summary
The provided article discusses the landscape of new ransomware groups in 2024. Since the request is to summarize information for a *specific* threat actor, and the article details *three* distinct new groups (RansomHub, Fog, and Lynx), the summary below focuses first on RansomHub as the most prominently detailed actor, and then includes structured summaries for Fog and Lynx based on the available text.
---
## Threat Actor Summary Compilation
### Actor 1: RansomHub
# Threat Actor: RansomHub
## Attribution & Identity
* **Identification:** Leading new ransomware group detected in 2024.
* **Aliases and Associations:** Perceived as the 'spiritual successor' to ALPHV (following the FBI's disruption), potentially involving former ALPHV affiliates. Exhibits characteristics of a traditional Russian ransomware setup (e.g., avoiding CIS nations).
* **Model:** Operates as a Ransomware-as-a-Service (RaaS) with strict affiliate agreements.
## Activity Summary
* **Historical Activities:** Commenced operations in February 2024. By the time of the article (published March 2025), claimed responsibility for 531 attacks listed on its Data Leak Site (DLS).
* **Objectives:** Prioritizes attack volume over high payment rates to ensure long-term profitability via affiliate expansion.
* **Financials:** Offered a 90/10 ransom split (Affiliates/Core Group). Low payment rate observed (11.2% in August 2024 findings).
## Tactics, Techniques & Procedures
* **Encryption Strategy:** Encrypts data *before* performing exfiltration.
* **Toolset/Malware:** Ransomware developed in Golang and C++, targeting Windows, Linux, and ESXi. Noted for fast encryption speed.
* **Parallels:** Similarities noted with GhostSec's ransomware. Sophos research highlights parallels with Knight Ransomware, including Go-language payloads obfuscated with GoObfuscate and identical command-line menus.
* **Guarantees:** Guarantees free decryption if affiliates fail to provide it post-payment or target prohibited organizations.
## Targeting
* **Sectors:** General targeting, but explicitly *avoids* non-profits.
* **Geography:** Global, but avoids CIS nations, Cuba, North Korea, and China.
* **Victims:** Not specified by name, but attack volume metrics are tracked via their DLS.
## Tools & Infrastructure
* **Malware Families Used:** Custom Ransomware (Golang/C++).
* **Infrastructure:** One listed indicator observed on November 28, 2024:
* Domain-Name: `gfs302n515.userstorage.mega.co.nz` (Defanged)
## Implications
RansomHub has rapidly become a dominant force, capitalizing on the fragmentation caused by law enforcement actions against major groups. Their RaaS model and aggressive affiliate management suggest sustained and high-volume operational activity.
## Mitigations
* Monitor for Golang and C++ based ransomware activity, particularly those utilizing GoObfuscate techniques.
* Be aware if targeted by groups exhibiting characteristics of the Russian cybercrime ecosystem (based on typical exclusion lists).
---
### Actor 2: Fog Ransomware
# Threat Actor: Fog Ransomware
## Attribution & Identity
* **Identification:** New ransomware group active in 2024.
* **Aliases and Associations:** Linked to Akira, suggesting shared infrastructure or collaboration (75% of documented intrusions showed this link).
## Activity Summary
* **Historical Activities:** Appeared in early April 2024. Attacked 87 organizations globally in 2024. Arctic Wolf observed at least 30 intrusions initiated via compromised SonicWall VPN accounts.
* **Objectives:** Primary goal is financial extortion via double-extortion.
* **Speed:** Demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting stolen VPN credentials, specifically compromised SonicWall VPN accounts.
* **Extortion:** Employs double-extortion (encryption + data publication).
* **Infrastructure:** Publishes data on a TOR-based leak site.
* **Kill Chain:** Follows typical ransomware kill chain: network enumeration, lateral movement, encryption, and data exfiltration.
* **Malware:** Versions exist for Windows and Linux platforms.
## Targeting
* **Sectors:** Primarily targets education, business services, travel, and manufacturing. The education sector is noted as their *primary* focus.
* **Geography:** Focus on the U.S.
* **Victims:** Not specified by name.
## Tools & Infrastructure
* **Malware Families Used:** Fog ransomware.
* **Infrastructure (IOCs):**
* IPv4-Addr: `107[.]161[.]50[.]26` (Defanged)
* Multiple SHA-1 hashes observed across late 2024.
## Implications
Fog represents a significant threat to the education sector due to its focus and its reliance on readily exploitable initial access vectors (stolen VPN credentials).
## Mitigations
* Immediately review and secure SonicWall VPN accounts for compromised credentials.
* Implement robust monitoring for rapid lateral movement and encryption activity, given their two-hour victim-to-encryption speed.
---
### Actor 3: Lynx Ransomware
# Threat Actor: Lynx Ransomware
## Attribution & Identity
* **Identification:** Double-extortion ransomware group actively victimizing companies.
* **Aliases and Associations:** None specified in the text.
## Activity Summary
* **Historical Activities:** Active in 2024, displaying numerous victims on their website.
* **Objectives:** Financial extortion via double-extortion.
## Tactics, Techniques & Procedures
* **Extortion:** Double-extortion model.
* **Infection Marker:** Encrypts files, appending the `.LYNX` extension.
* **Ransom Note:** Drops a ransom note named "README.txt" in multiple directories.
## Targeting
* **Sectors:** Explicitly *avoids* government organizations, hospitals, non-profit groups, and "other essential social sectors."
* **Geography:** Global (implied by "victimizing companies").
* **Victims:** Not specified by name.
## Tools & Infrastructure
* **Malware Families Used:** Lynx ransomware.
* **Infrastructure:** Not detailed in the provided text excerpt.
## Implications
Lynx maintains a relatively standard profile for modern ransomware groups but appears to adhere strictly to avoiding critical social infrastructure targets.
## Mitigations
* Ensure strict file monitoring rules are in place to detect the `.LYNX` extension and the dropping of `README.txt` ransom notes.
* Verify that standard exclusion lists cover essential social sectors if the group maintains its stated avoidance policy.