Military strategist Sun Tzu wrote over 2000 years ago that it is critical to understand your adversary. This concept is why anti-ransomware platform provider Halcyon publishes their "Ransomware Malicious Quartile (MQ) Power Rankings." They released the fourth quarter 2024 edition in January 2025. This magic quadrant-type assessment delivers critical insights into the evolving ransomware-as-a-service (RaaS) landscape. It covers who the leading ransomware threat groups are and where these groups are targeting and offers an interesting analysis of how ransomware attacks are designed for geopolitical impact.
Ransomware’s Devastating Impact
Ransomware is one of the most disruptive and costly attacks. “Ransomware is unique in cybercrime because of its tangible impact on everyday people,” said Jon Miller, CEO and Co-Founder of Halcyon. “When patients can’t get healthcare, workers can’t do their jobs, and the most vulnerable among us are directly extorted because their most personal information was exfiltrated in a ransomware attack, we are talking about attacks that are unlike any we have seen before.” These attacks impact organizations, large and small.
Direct and indirect costs are considerable. Willy Leichter, CMO at AppSOC, points out, “Ransomware remains the most lucrative way to monetize cybercrime by encrypting data, damaging critical systems, or just threatening reputational damage.” Costs to organizations impacted by a ransomware attack include recovery operations, lost business, and, in some cases, paying the ransom.
"Ransomware victims paid over $1 billion in 2023 just to regain access to their own data and assets," added Enrique Salem, partner at Bain Capital Ventures (BCV).
RansomHub and the other Top 5 Ransomware Groups
Halycon’s power rankings report identifies 26 RaaS gangs. These criminal organizations foster hundreds of active ransomware campaigns in operation. International law enforcement successfully engaged in actions directed at disrupting some of the criminal organizations but Anthony Freed, Director of Research and Comms for Halcyon, reports, “Nothing the authorities are doing to combat this mounting wave of ransomware attacks is effective in the slightest.” This is born out in the report in that of the top five groups, three emerged in 2022, one in 2023, and the most prolific RaaS provider by attack volume in the quarter is RansomHub, which only became active in early 2024.
The RansomHub group is focused on targeting large organizations with the capacity to pay significant ransoms. For example, they demanded $22 million from Change Healthcare. Other victims included the City of Marietta, Georgia, NRS Healthcare, and Frontier Communications. They utilize advanced ransomware deployment, lateral movement, anti-detection, and encryption techniques. Their growth has been facilitated by offering affiliates (criminals who use a RaaS) up to 90% of ransom payments.
The remaining leading RaaS organizations include:
- Play launched a massive attack that hit 16 victims simultaneously.
- Black Basta leverages unique tactics, techniques, and procedures (TTPs) for ingress, lateral movement, data exfiltration data, and deployment of ransomware payloads.
- 8Base is known for its rapid and efficient encryption techniques and the use of SmokeLoader.
- Akira has a distinctive extortion platform that includes a chat feature to facilitate direct negotiation between victims and attackers.
All of these players are double extortionists who exfiltrate sensitive data and threaten to release it if the victim does not pay.
The Prime Targets
Ransomware is an equal opportunity attacker. Any entity that gets snared in the web can be a victim but some sectors seem to be targeted more than others. According to the Halcyon Attacks Lookout website, the majority, 56% or 768 out of 1407 ransomware attacks in the quarter were directed to entities within the United States.
In terms of targeted industries, manufacturing was at 20%, with construction, business services, and healthcare services all being attacked over one hundred times. The mix of industry victims generally varies from quarter to quarter, but in general, cybercriminals search for organizations that have a low tolerance for downtime. For example, the healthcare industry is especially vulnerable due to the potential for adverse effects on patient health and safety.
Russian Influence on Ransomware Operations
As part of the analysis of this report, the Halcyon authors laid out a case on how ransomware attacks have evolved beyond cybercrime to be a low-cost, high-impact mechanism for the indirect projection of national policy. Russia has demonstrated that it is using criminal RaaS operators to serve geopolitical strategic objectives.
A case study demonstrating how ransomware can be used as part of a coordinated strategy is the attack on the Stoli Group. A ransomware attack crippled some of the spirits vendor’s systems which contributed to a $78 million debt default. The Russian government took advantage of this to seize the company’s two Russia-based distilleries. The attack, quickly followed by state action, demonstrates that some ransomware attacks are designed to advance a government objective.
The Stoli Group is one example of the link between the Russian government and ransomware threat actors. There are other considerable connections between the large number of Russian-based RaaS providers. In 2021, 74% of ransomware revenue was collected by entities likely affiliated with Russia.
Call to Reclassify Ransomware Attacks
In this report, Halcyon proposes that addressing the serious ransomware threat requires a shift in how the attacks are viewed. Many critical infrastructure entities are targets of ransomware. It is time to reclassify the attacks as national security incidents rather than isolated criminal acts. By changing the perspective, more response tools would be available. Specifically, this would include:
- Offensive Cyber Measures: Taking more active options to disrupt the RaaS infrastructure.
- Economic Sanctions: Provide an economic cost to nations that permit ransomware gangs to operate freely.
- International Collaboration: Encourage coordinated actions among allied nations
- Cyber Deterrence Strategy: Clearly establish the consequences for state-linked ransomware operations.
Ransomware Mitigation Strategies
Defending against ransomware requires multi-levels of defenses that must incorporate the whole organization. The first consideration is to prevent attackers from successfully launching a ransomware attack. This requires understanding your attack surface and deploying technology such as vulnerability and patch management, endpoint detection and response, identity management, network segmentation, intrusion prevention, and anti-phishing email security.
Security awareness, primarily in the form of anti-phishing training, is required to reduce the chance a user will fall for a phishing effort that allows the attacker to enter the network.
Should a company fall victim to a ransomware attack, it needs to have strong data backups to effectively recover from the temporary loss of access to information. A comprehensive incident response (IR) plan is required for all applicable staff to understand their responsibilities during and following a cyber-attack.
Additionally, there is an emerging market of dedicated ransomware protection platforms that are designed to specifically prevent ransomware from being executed on a network.
Final Rundown
Ransomware is a threat to all organizations. Although some target specific organizations, much of it is a crime of opportunity that will impact any organization that falls into the trap. The proliferation of sophisticated RaaS platforms will ensure that ransomware continues to plague organizations. Cybersecurity professionals must take all possible actions required to reduce the chance of a ransomware attack, but if it occurs, they must then limit the damage.
Halycon has pointed out that this form of attack is being leveraged by nation-states, specifically Russia to as a weapon to punish its enemies and as a deterrent. They argue that to vastly reduce ransomware requires it be treated as a national security issue which expands what actions organizations can take to defeat such attacks.
