ESET: RansomHub most active ransomware group in H2 2024

ESET declared RansomHub the top ransomware group on the threat landscape following law enforcement's disruption of the infamous LockBit ransomware gang earlier this year.

The antimalware vendor published its "Threat Report H2 2024" on Monday that detailed ransomware trends, a rise in infostealers and an increase in attackers targeting macOS devices. The report includes data taken from June through November, a period during which ESET researchers observed new attack vectors and social engineering methods, as well as a shift in established ransomware groups due to successful takedown operations.

One of the most significant law enforcement disruptions occurred against LockBit earlier this year. A joint law enforcement operation dubbed Operation Cronos, which began in February, led to arrests and infrastructure seizures, and exposed one of the group's leaders: Dmitry Yuryevich Khoroshev, also known as "LockBitSupp."

Now, ESET has observed the RansomHub gang emerge as the "clear winner" to replace LockBit as one of the most active ransomware as a service (RaaS) operations. ESET's findings align with research from NCC Group earlier this year detailing RansomHub's rise.

"The sudden swoop of the former top RaaS created a short-lived vacuum, one that many ransomware groups tried to fill. The most successful in this endeavor was RansomHub, occupying the prime spot among RaaS since July 2024. And if no dramatic event shakes up the landscape, this gang will also remain the leader until the end of the year," ESET wrote in the report.

The researchers added that RansomHub emerged in February -- the same month in which Operation Cronos began -- and "quickly ranked among the most active groups." The report also highlighted the group's tactics, techniques and procedures. For example, RansomHub targets both Linux and Windows systems, and uses living off the land techniques, which involve using legitimate tools instead of malware to evade detection.

While analyzing the group's public data leak site, ESET found nearly 500 victims listed since February, including oil and gas giant Halliburton and Kawasaki Europe. RansomHub also claimed responsibility for a disruptive attack against Oklahoma City Abstract and Title Co. in October.

While ESET researchers highlighted how competitive the RaaS landscape is, they believe RansomHub will remain the most active gang "well into 2025." They also believe RansomHub is made up of former LockBit and BlackCat ransomware group members. Law enforcement agencies disrupted BlackCat, also known as Alphv, in December 2023 following the notorious attack on UnitedHealth Group's Change Healthcare.

"Considering the steep increase in activity of RansomHub and the ever-growing number of its victims, it is highly likely that this RaaS attracted the former top tier affiliates from the now disrupted LockBit and defunct BlackCat services," the report said.

The Embargo ransomware group is another emerging competitor highlighted in the report. ESET first observed the group in June and said it's part of a "growing trend" of developing malicious tools in Rust. The report said Embargo stands out among other groups due to the operators' ability to "quickly modify their tooling -- even during an active intrusion."

Regarding the overall ransomware landscape, ESET found a downward trend going into the second half of 2024.

"As for ESET telemetry, ransomware detections in H2 2024 have globally decreased by over 23% compared to H1 2024," the report said.

However, the report also noted a concerning trend. During H2, ESET found that nation-state actors connected with North Korea, China and Iran were becoming increasingly involved in ransomware attacks.

"Then there are groups that want to make an 'extra buck' on the side, one of them being Iran-aligned Pioneer Kitten that acted as initial access broker (IAB) and collaborated with several groups, including Ransomhouse as well as the now defunct NoEscape and BlackCat," the report said.