Estimated reading time: 5 minutes

Ransomware threats are constantly evolving, and 2024 has already seen major disruptions and comebacks from some of the most notorious cybercriminal groups in the world. In this post, we’ll break down the top three most dangerous ransomware groups operating today: LockBit, Clop, and ALPHV/BlackCat. These ransomware-as-a-service (RaaS) operations have caused millions in damages and continue to target businesses, governments, and critical infrastructure worldwide.

If your organization isn’t actively monitoring ransomware trends or preparing an incident response strategy, this guide will help you understand what you’re up against.

Alternatively, reach out us at Ridegell Consulting to create an Information Security Roadmap.

LockBit – The Most Prolific and Harmful

Overview

• First Detected: September 2019 (initially known as “ABCD” ransomware)
• Ransomware-as-a-Service (RaaS): LockBit leases its tools to affiliate hackers, who carry out attacks and share ransom payments with the developers.

Key Tactics & Techniques

• Industries Targeted: Healthcare, education, finance, manufacturing, and government
• Entry Points: Phishing emails, remote desktop protocol (RDP) exploits, and software vulnerabilities
• Double Extortion: Encrypts files and exfiltrates data, threatening to leak sensitive information
• Self-Spreading Capability: Can autonomously propagate within networks

Notable Attacks

• Boeing (USA) – Disrupted global aircraft operations
• Royal Mail (UK) – Caused significant service outages
• Frequently targets SMBs with average ransom demands of $85,000 to $100,000

Law Enforcement Activity

• February 2024: International takedown “Operation Cronos” (led by UK’s NCA and the FBI) seized LockBit’s infrastructure, source code, and dark web leak site.
• LockBit’s leader (LockBitSupp) disappeared post-seizure, though experts warn affiliates may rebrand or regroup.

“LockBit, as a brand, is probably dead… Some groups have cockroach-like resilience.” – Brett Callow, Emsisoft

Clop (Cl0p) – The Big Game Hunters

Overview

• Operated by TA505, a financially motivated cybercriminal group linked to phishing campaigns and ransomware.
• Known for aggressive double and even quadruple extortion methods.

Key Tactics & Techniques

• Initial Access: Phishing emails, credential theft, or exploiting zero-day vulnerabilities
• Leak Site Pressure: Stolen data is posted publicly if ransoms go unpaid
• Direct Outreach: Targets may receive emails or phone calls pressuring them to pay up

Notable Attacks

• MOVEit Transfer Exploit (2023): A mass exploitation event affecting hundreds of organizations, including British Airways, Shell, and the Nova Scotia Government
• Accellion Breach (2020-2021): Exposed data from major law firms, universities, and corporations

Law Enforcement Response

• Arrests of alleged affiliates have occurred in Ukraine and South Korea.
• The U.S. Department of State has offered a $10 million reward for information linking Clop to state-sponsored entities.

“Clop isn’t slowing down—they’re evolving. Their model is built for persistence.” – Cyber Threat Analyst, Recorded Future

ALPHV/BlackCat – The Sophisticated New Player

Overview

• Launched in late 2021, ALPHV (aka BlackCat) is known for innovation and technical prowess.
• First major ransomware family written in Rust, making it harder to detect and analyze.

Key Tactics & Techniques

• Customizable Payloads: Affiliates can tailor the malware to each target
• Double Extortion: Encrypts data and threatens public leaks
• High-Value Targets: Focused on healthcare, energy, and financial institutions

Notable Attacks

• Trans-Northern Pipeline (Canada, 2023) – Claimed theft of 190 GB of sensitive data
• Change Healthcare (2024) – One of the largest healthcare breaches in U.S. history

Law Enforcement Response

• December 2023: FBI disrupted infrastructure and released decryption tools
• March 2024: Group briefly shut down due to a $22 million ransom dispute
• By April, the group resumed operations, hinting at a new affiliate structure

“BlackCat has turned ransomware into a product suite. It’s plug-and-play cybercrime.” – Cybersecurity Ventures

Current Ransomware Trends

• Over 45 known ransomware gangs are actively operating
• Shift toward zero-day exploits and data exfiltration-first tactics
• Smaller, stealthier attacks are increasing as big targets harden their defenses
• Law enforcement actions are ramping up, but takedowns often lead to rebrands

How to Protect Your Organization from Ransomware

• Employee Awareness & Training
  • Conduct phishing simulations and regular security awareness sessions
  • Teach users how to recognize suspicious links and social engineering attempts
• Backup & Disaster Recovery
  • Keep offline and immutable backups
  • Regularly test recovery processes
• Security Best Practices
  • Enable multi-factor authentication (MFA)
  • Patch systems promptly and automate where possible
  • Segment your network to contain breaches
• Incident Response Planning
  • Create and routinely update a ransomware playbook
  • Pre-arrange access to incident response professionals and legal counsel
• Penetration Testing & Cyber Risk Assessments
  • Simulate real-world ransomware attacks
  • Identify and close exploitable vulnerabilities before threat actors do

Partner with us for effective and practical solutions that align with your business objectives.