In December 2024, ransomware activity showcased notable trends, including a 12.38% decline in attacks compared to November. Key ransomware groups, such as Funksec and Cl0p, emerged with significant incidents, and industries like healthcare and e-commerce faced increasing risks. The exploitation of vulnerabilities, advanced social engineering, and sophisticated attack vectors underlined the persistent evolution of ransomware, demanding robust defenses and proactive patching strategies.
December 2024 witnessed diverse ransomware trends, with emerging groups targeting critical industries and geographical locations. The report explores top ransomware groups, targeted sectors, and the evolution of attack strategies exploiting vulnerabilities. It highlights notable incidents and emphasizes the need for enhanced defenses as ransomware groups refine their operations to exploit digital transformation and unpatched systems across global industries.
Throughout December 2024, there was notable activity from several ransomware groups. Here are the trends regarding the top 5:
In December 2024, the Funksec group emerged as a new entrant with 50 incidents, quickly establishing itself as a top global threat. Cl0p recorded a 100% surge, rising from 0 to 68 cases. In contrast, RansomHub and Akira experienced significant declines of 39.3% and 45.1%, respectively. Killsec showed a slight decrease of 9.7%, dropping from 31 to 28 cases.
Even though Cl0p claimed 68 victims, they did not disclose the details.
This graph highlights industry targeting trends in December 2024 compared to November 2024. Manufacturing saw a decline of 14.4%, yet remained a top target due to its critical role in supply chains. FMCG and Banking & Finance experienced an increase of 15.38% and 17.94%, respectively. E-commerce & Retail rose by 6.1%, likely due to its growing digital footprint. Healthcare saw a 3% rise, driven by sensitive data. IT dropped 23.1%, while Media, Energy, and Metals & Mining saw marginal changes. Cybercriminals prioritized industries with high financial returns, operational sensitivity, and exploitable digital transformation.
Notably, despite Clop claiming 68 victims, they did not disclose victim details (such as the industries targeted).
In December 2024, ransomware attacks decreased by 12.38% compared to November. Despite this decline, CYFIRMA anticipates a potential rise in the number of victims in the future. This can be linked to increased online activity during the year-end and New Year festivities. With more people shopping, sharing, and transacting online, attackers exploit this surge to deliver malicious links or phishing campaigns.
In December 2024, the United States was the leading target of cybersecurity incidents with 283 attacks, largely due to its economic prominence and extensive digital infrastructure. Canada ranked second with 30 incidents, followed by India with 21 and Brazil with 16, reflecting the growing importance of their emerging economies and expanding digital landscapes. Germany, as Europe’s industrial center, experienced 14 incidents.
Threat actors are actively exploiting the Apache vulnerability to deploy the Mauri ransomware
CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ servers that has been actively exploited in ransomware campaigns. Attackers leverage the vulnerability by modifying the serialized class type in the OpenWire protocol, forcing the server to load malicious XML configuration files. This enables the deployment of ransomware and other malicious tools on compromised systems.
Ransomware groups exploit this flaw by creating backdoor accounts with administrative privileges, allowing Remote Desktop Protocol (RDP) access to internal networks. Tools like FRP (Fast Reverse Proxy) are installed to expose internal systems to external attackers, enabling lateral movement. The vulnerability has been linked to the deployment of Mauri ransomware, leveraging its open-source code for file encryption and extortion. Additionally, Quasar RAT is used for remote control, file management, keylogging, and data theft, increasing the impact of the ransomware attack.
ETLM
Ransomware campaigns will increasingly exploit unpatched vulnerabilities like CVE-2023-46604 to gain footholds in critical systems. Future attacks may integrate advanced tools for persistent control, combining data theft, extortion, and double-encryption strategies. As ransomware groups grow more organized, targeting unpatched servers will remain a priority, emphasizing the urgent need for proactive patch management and improved threat detection capabilities.
Black Basta Ransomware Evolves with Email Bombing
Recent findings have revealed a significant shift in the tactics of the Black Basta ransomware group, which has evolved its approach since early October 2024. The attackers now rely heavily on social engineering to infiltrate organizations, starting with overwhelming their targets through email bombing. Once the inboxes are flooded, the attackers initiate contact on platforms like Microsoft Teams, posing as IT support staff to establish trust. Victims are then convinced to install legitimate remote access tools, such as AnyDesk or Quick Assist, granting the attackers direct access to their systems.
Once inside, the attackers deploy a range of malware, including custom credential harvesters and well-known strains like Zbot and DarkGate. These tools facilitate rapid network enumeration, credential dumping, and data exfiltration, with the goal of stealing VPN configurations and bypassing Multi-Factor Authentication (MFA). Further attempts to compromise victims involve sending malicious QR codes via chat, which arguably leads to a more malicious infrastructure.
This evolution marks a shift from the earlier botnet-driven attacks to a hybrid model that combines sophisticated social engineering with tailored malware, reinforcing the growing adaptability and complexity of Black Basta’s ransomware operations.
ETLM
Ransomware groups are likely to further refine their use of social engineering, incorporating more advanced impersonation tactics and leveraging increasingly sophisticated malware. We may also see more targeted exploitation of trusted communication platforms, making it harder for organizations to distinguish between legitimate and malicious interactions, resulting in heightened cybersecurity challenges.
Cl0p ransomware claimed Cleo vulnerability attacks
Two zero-day vulnerabilities in Cleo Harmony, VLTrader, and LexiCom file transfer software were exploited in recent data theft attacks. The first, CVE-2024-50623, enabled unauthenticated file uploads and downloads, leading to remote code execution. Threat actors leveraged this flaw to deploy a reverse shell, enabling backdoor access through malicious Freemarker templates with server-side JavaScript. Despite being patched in version 5.8.0.21, the mitigation was insufficient.
Subsequently, CVE-2024-55956, another unauthenticated file write vulnerability, was exploited to upload a Java-based backdoor named “Malichus.” This malware facilitated data theft, command execution, and deeper network compromise. This flaw was patched in version 5.8.0.24 and is distinct from CVE-2024-50623, targeting a separate synchronization endpoint issue.
The Cl0p ransomware group orchestrated these attacks, specializing in exploiting vulnerabilities in file transfer platforms. They previously targeted similar systems, including MOVEit Transfer, GoAnywhere MFT, and others, to steal sensitive data from hundreds of organizations. Cl0p confirmed responsibility for both vulnerabilities and claimed to have breached numerous companies. This incident underscores the group’s strategic focus on critical data exchange solutions, exploiting zero-days to infiltrate corporate networks. While the full impact remains unknown, these events highlight the urgency of robust patching and vigilant monitoring in securing enterprise systems.
ETLM
The exploitation of secure file transfer platforms will intensify, with ransomware groups like Cl0p continuing to weaponize zero-day vulnerabilities. Future attacks will likely target high-value systems with enhanced sophistication, leveraging stealthier backdoors and multi-stage intrusions. Organizations must brace for widespread data breaches, severe operational disruptions, and escalating ransom demands as attackers refine their strategies against evolving security defenses.
Funksec
Funksec ransomware is a malicious software targeting VMware ESXi hypervisors and Windows servers. It may exploit vulnerabilities or weak configurations to gain access, often delivered through phishing emails or unsecured remote access points. Once deployed, it uses advanced encryption algorithms to lock files, rendering them inaccessible. The ransomware leaves a ransom note demanding payment in exchange for the decryption key, its dual-platform approach increasing its impact, making it a significant threat to both virtualized environments and traditional server infrastructures. The group has already listed 50 victims during the writing of this report.
Bleubox
Researchers recently identified a new ransomware named Bluebox, which operates a data-leak site (DLS) targeting victims with threats of public data exposure. They claim to have stolen intellectual property and personal information from organizations, leveraging these to demand ransom. During the writing of this report the group listed 2 victims:
LockBit Ransomware Developer Arrested in Israel
U.S. law enforcement arrested Rostislav Panev, a Russian-Israeli citizen, in Israel last August. Panev has been accused of developing LockBit ransomware since 2019, and allegedly had admin access to its Dark Web repository, source code, and affiliate tools like “StealBit.” Panev confessed to his role, and two other individuals are also facing charges.
Ransomware suspect reportedly arrested by Russia
Russian authorities have charged Mikhail Matveev, alias Wazawaka, for creating ransomware used to extort commercial organizations. Matveev, linked to groups like Babuk, Conti, and LockBit, is accused of developing malware for financial gains, targeting data encryption and ransom demands. He faces up to four years in prison, following sanction by the U.S. for cybercrimes, including a 2021 attack on Washington D.C.’s police department, and had $10 million offered for his capture.
Space Bears claims they attacked Atos
French IT firm Atos SE was targeted by the Space Bears ransomware group, claiming to have breached its database. Allegations included data exfiltration, though Atos’s investigation found no evidence of compromise or ransom demands. The attackers asserted possession of sensitive data, but no specific details about stolen information or financial demands were confirmed.
Lynx hitting the Energy sector
The Lynx ransomware gang targeted Romania’s energy provider, Electrica Group, which serves over 3.8 million customers across Muntenia and Transylvania. Authorities confirmed critical power supply systems, including SCADA, were unaffected. Electrica implemented temporary protective measures to secure infrastructure, with no confirmed data exfiltration or ransom demands disclosed. Investigations are ongoing.
Artivion suffered a ransomware attack.
Artivion, a U.S.-based heart surgery medical device manufacturer, suffered a ransomware attack recently. The incident encrypted files, disrupted delivery and shipping systems, and caused operational delays with anticipated financial impacts. Some systems were taken offline as a precaution. As of now, no ransomware group has claimed responsibility for the attack.
Based on available public reports, approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:
Impact Assessment
Ransomware remains a serious threat to organizations and individuals, with its ability to encrypt critical data and demand payment for decryption. These attacks extend beyond ransom demands, inflicting financial burdens through recovery efforts and cybersecurity measures while disrupting operations and eroding customer trust. Victims often face reputational damage, regulatory penalties, and market instability, further undermining consumer confidence. To protect financial stability and public trust, it is imperative for businesses and governments to prioritize proactive measures against ransomware threats.
Victimology
Cybercriminals are intensifying their focus on businesses that manage large volumes of sensitive data, such as personal information, financial records, and intellectual property. Sectors like manufacturing, real estate, healthcare, FMCG, e-commerce, finance, and technology face heightened risks due to their extensive data repositories. Targeting nations with robust economies and advanced digital infrastructures, attackers exploit vulnerabilities to encrypt vital data and issue substantial ransom demands, aiming to maximize their financial gains through sophisticated and calculated strategies.
Although ransomware incidents decreased in December 2024, the threat landscape remains dynamic and concerning. Emerging groups like Funksec and Bluebox have introduced new global risks, while Cl0p continues to exploit vulnerabilities with advanced tactics. As cybercriminals evolve, industries face increasing challenges. Organizations must strengthen defenses through proactive security measures, including effective patch management, employee training, and enhanced threat detection systems.