Ransomware gangs are being arrested and taken down, but the threat from the data locking malware doesn’t go away. In 2024, a number of completely new ransomware gangs entered the fray. Take, for example, up and coming group Termite, which claimed responsibility for the Blue Yonder cyber-attack, or the AI-assisted Funksec group.
The last year has seen fragmentation in the ransomware ecosystem, says Luke Donovan, head of threat intelligence at Searchlight Cyber. “While we are used to the idea of a handful of mega-groups accounting for most ransomware victims, this is no longer the reality.”
Now, there are an increasing number of smaller operations that organizations need to worry about, he says. “There are dozens of ransomware groups posting victims on the dark web – and more emerge every week,” Donovan tells ITPro.
So who are the new ransomware groups to be concerned about in 2025, what are their aims, and who do they target?
Funksec
First up is Funksec, a new double extortion group that emerged in late 2024. Check Point tracked the group publishing the details of over 85 victims in December – more than any other group.
The extortion group is so new that not much is known about its tactics, techniques and procedures (TTPs). Check Point noted that while the group’s dark web communications appear in rudimentary English, its code comments are impeccable. It used this evidence to suggest that the group is using AI-generated code, including its Rust source code. As mentioned it has published across various sectors, including media, IT and education.
The group announced a new encryption tool “Funklocker” on its leak site in December, then in early January 2025 the user “hinkim” advertised its ransomware as a service (RaaS) model on forums, says Spence Hutchinson, threat intelligence researcher at eSentire’s Threat Research Unit.
“Hello! We are excited to announce the launch of our Ransomware-as-a-Service (RaaS) for groups interested in using Funksec 1.0,” the post reads. “The price is $100 for unlimited access, with 30% allocated for providing a decryptor. Our locker features advanced anti-detection techniques, including Orion methods, to enhance security.”
RansomHub
Another new group is RansomHub, which is so prolific it has overtaken the infamous LockBit. “This RaaS operation only emerged in February 2024, but finished the year as the group with the most listed victims on its dark web leak site,” says Donovan.
The gang hit 500 victims last year, targeting multiple industries, meaning it’s a group all companies should be keeping an eye on, he warns.
RansomHub is the “most notable ransomware group of recent times”, agrees Santiago Pontiroli, senior cyber threat researcher at Acronis. “Other key players, such as LockBit and ALPHV/BlackCat, suffered several setbacks, allowing RansomHub to become the most prominent ransomware threat actor.”
Of the top 13 ransomware groups of 2024, only one emerged last year: Ransomhub, says Dov Lerner, staff Security researcher at Bitsight. “This makes sense; existing groups are well-oiled operations of managers, coders, operators and affiliates, while new groups need to build capabilities and scale. “
Howling Scorpius
It emerged in 2023, but the Howling Scorpius ransomware group is also worth knowing about going into 2025. The Akira ransomware, operated by Howling Scorpius as a RaaS, has been “one of the most active ransomware operations” in recent times, says Anna Chung, principal researcher at Unit 42, Palo Alto Networks. “In fact, it has consistently ranked among the top five most active ransomware groups over the past few months.”
Small to medium-sized businesses across North America, Europe, and Australia are the primary targets, particularly industries such as education, consulting, government, manufacturing, telecommunications, technology and pharmaceuticals.
Howling Scorpius employs a double extortion approach. “They first exfiltrate critical data from their victims’ networks and then proceed to encrypt systems,” Chung says. “This allows them to leak the stolen data if the victim restores their systems without paying the ransom, maximising pressure to comply with their demands."
BlackLock
BlackLock (aka El Dorado) is a brand new group that is already making a name for itself as a destructive group on course to becoming a major presence in 2025.
To date it has stood out from competitors through its unusual leak site, which contains features that stop victims from properly assessing the scale of attacks, as well as its tailor-made malware. This prevents security researchers from easily assessing the scope and scale of future BlackLock attacks, even as the group appears to be recruiting for larger-scale campaigns.
Lynx
In July 2024, Palo Alto Networks identified a new ransomware strain named Lynx, which appears to be a successor to INC ransomware, says Chung.
Since emerging, Lynx has shown a focus on critical industries in the US and UK including retail, real estate, architecture and financial and environmental services. Between July and November 2024, the group targeted multiple facilities across the US, including energy, oil and gas sectors.
Lynx's attack methodology is “particularly alarming”, says Chung. It operates as a RaaS and employs double extortion tactics. “After gaining access to a system, the ransomware can steal sensitive information before encrypting the victim’s data, effectively locking them out.”
To make recovery more difficult, it adds the “.lynx” extension to encrypted files and deletes backup files. “More strikingly, they send ransom notes directly to connected printers, ensuring the victim is immediately aware of the attack,” Chung explains.
Termite
Ransomware group Termite has gained notoriety following its attack on Blue Yonder in December.
Primarily motivated by financial extortion, Termite is also focusing on data theft and resale, says Lorri Janssen-Anessi, director external cyber assessments at BlueVoyant. “Its recent links to zero-day attacks on Cleo file transfer products indicate a sophisticated strategy targeting critical infrastructure and large corporations in the technology, finance and healthcare sectors.”
The older ransomware groups
While these new groups are gaining pace, some of the most notorious and prolific ransomware groups have been severely diminished over the last 12 months, Donovan says. He cites the example of BlackCat, which has “completely disappeared” after “retiring” in March 2024.
However, Play and BlackBasta – which attacked BT Group in 2024 – have both been active since 2022 and retain “a consistently high victim count”, Donovan says.
There is also a chance that gangs with a smaller output in 2024 might re-bound in 2025, says Donovan. He cites the example of LockBit. “For many years, it was the most prolific ransomware group, but it was severely knocked by the law enforcement action Operation Cronos. However, it was still the second most active of the year and should not be discounted as a threat.”
LockBit remains “a formidable force”, agrees Janssen-Anessi. “Similarly, Conti has evolved by rebranding and adapting its tactics, focusing on sectors like healthcare and logistics. “
Meanwhile, Cl0p – notorious for its 2023 mass-attack against hundreds of organizations using the MOVEIt software vulnerability – had a “relatively muted” 2024, says Donovan. “However, the group remains active and does have a track record for going through quiet periods before bulk-announcing a number of victims at once. It may have new surprises in store for 2025.”
Protecting your business against ransomware groups new and old starts with getting the basics right. Attackers often target vulnerabilities in software, making it integral that patching is up to date.
Other key security practices that all organizations should have in place include multi-factor authentication (MFA) and educating employees, says Donovan. However, when preparing for specific threats, security teams need to narrow it down to the most likely groups that could attack them, he says.
It is “nearly impossible” to prepare for dozens of ransomware groups at once, Donovan says. “But if security teams can narrow it down to the four or five who target their industry, geography, or peers, and really understand how they launch their attacks, they can get ahead of those who are most likely to target them.”
