Ransomware gangs are no longer shadowy entities operating in the background of the cybercrime world—they are well-organized, aggressive, and targeting businesses of all sizes. These groups deploy increasingly sophisticated tactics to breach networks, steal data, and demand hefty ransoms. Understanding who these actors are, how they operate, and what makes them so effective is critical for enterprises looking to protect themselves.
What Are Ransomware Gangs?
Ransomware gangs are cybercriminal organizations that deploy malicious software to lock or encrypt a victim's data, demanding payment for its release. Many operate on a Ransomware-as-a-Service (RaaS) model, enabling affiliates to execute attacks using pre-built infrastructure. Their tactics have grown more aggressive, with double and triple extortion becoming standard practices in recent years.
In 2024, these attacks have surged, targeting sectors like healthcare, government, education, and finance. These groups are highly adaptable, often collaborating with other cybercriminal networks to develop new techniques and evade law enforcement.
Below, we highlight the most dangerous ransomware gangs targeting the enterprise, explaining their key tactics, significant attacks, why they continue to pose a serious threat to organizations globally, and how a Secure Enterprise Browser, like Primary, can help safeguard your business.
LockBit: The Unstoppable Machine
LockBit has become a leading force in ransomware, largely due to its highly successful RaaS model. This operation allows affiliates to use LockBit’s sophisticated ransomware tools to launch attacks in exchange for a share of the ransom. Known for its speed and effectiveness, LockBit targets high-value sectors like healthcare, finance, and government.
LockBit's double extortion strategy—encrypting data and threatening to leak it—has resulted in millions of dollars in payouts. One of the group's most notable attacks involved bringing Royal Mail to a halt in 2023, demanding an enormous ransom to restore services. Despite Operation Cronos, a major law enforcement action in 2024, LockBit remains one of the most formidable ransomware actors today.
Founded: 2019
Base of Operations: Eastern Europe
Notable Activity: Royal Mail attack, $91 million in ransom demands
BlackSuit: The Royal Reincarnation
Formerly known as Royal ransomware, BlackSuit rebranded itself in 2023, ramping up operations and expanding its targets. This group, believed to be based in Russia or Eastern Europe, uses phishing emails to infiltrate networks and often disables antivirus software before launching ransomware attacks. Their tactics include exfiltrating sensitive data and then demanding a ransom, threatening to leak information if their demands aren’t met.
In one notable attack, BlackSuit disrupted Dallas's emergency services in 2023, demonstrating its ability to cripple both public and private sectors. Ransom demands from this group often range from $1 million to as much as $60 million.
Founded: 2023 (Rebranded from Royal)
Base of Operations: Russia/Eastern Europe
Notable Activity: $60 million ransom demand, Dallas emergency services breach
RansomHub: The Infrastructure Invader
Emerging in early 2024, RansomHub has quickly positioned itself as one of the top ransomware threats, mainly targeting critical infrastructure sectors like healthcare, manufacturing, and education. The group employs double extortion tactics—encrypting data while threatening to leak sensitive information if their ransom demands aren’t met. Their attacks often exploit vulnerabilities in remote desktop protocols (RDP) and virtual private networks (VPNs).
One of RansomHub’s most notable attacks occurred in August 2024, targeting the oil and gas services giant Halliburton, causing significant disruptions. RansomHub’s RaaS model has allowed it to rapidly expand its reach, attracting affiliates with a highly competitive commission structure.
Founded: 2024
Base of Operations: Eastern Europe
Notable Activity: Halliburton attack, targeting critical infrastructure sectors
BlackCat/ALPHV: The Silent Operator
BlackCat, also known as ALPHV, first appeared in late 2021 and quickly gained notoriety for its Rust programming language-based ransomware. BlackCat is highly adaptable, targeting both Windows and Linux systems, which makes it harder for organizations to defend against its attacks. The group’s primary method of entry often involves exploiting stolen credentials and unpatched vulnerabilities.
In 2024, BlackCat faced significant internal challenges after an apparent $22 million ransom payment from Change Healthcare, one of its high-profile victims. The payment triggered a public implosion within the group, as disputes over how the funds were distributed led to internal strife and defection. Despite these issues, BlackCat has continued its attacks, with links emerging between the group and Cicada, another notorious ransomware collective that emerged in 2024.
Founded: 2021
Base of Operations: Unknown
Notable Activity: $22 million ransom from Change Healthcare, and possible re-emergence as Cicada
Clop: The Double Extortion Specialist
Clop is known for its high-profile attacks on major organizations across various industries. This group has perfected double extortion tactics—encrypting data and threatening to leak sensitive information unless ransoms are paid. Clop has gained notoriety for targeting large enterprises and institutions, including the financial and government sectors.
Clop is also known for its sophisticated use of malware, often exploiting vulnerabilities to gain initial access to networks. Their adaptability and technical prowess have made them one of the more persistent ransomware groups, frequently involved in large-scale data breaches.
Founded: Unknown
Base of Operations: Likely Eastern Europe
Notable Activity: Double extortion tactics, targeting large organizations
Vice Society: The Infrastructure Disruptor
Vice Society focuses heavily on attacking critical infrastructure and sectors with sensitive data, such as education and healthcare. This group is known for its targeted attacks, often breaching institutions with fewer cybersecurity resources but holding extremely valuable data.
Their methods include using double extortion to lock down systems and threaten to leak private data, making them especially dangerous in industries where protecting personal information is crucial. Vice Society’s ability to disrupt essential services makes them a significant threat to public safety.
Founded: Unknown
Base of Operations: Likely Eastern Europe
Notable Activity: Disruptions in education and healthcare sectors, double extortion tactics
PLAY: The Triple Threat Innovators
PLAY ransomware has introduced a new level of sophistication with its triple extortion tactics. This group not only encrypts data and threatens to leak it but also launches Distributed Denial-of-Service (DDoS) attacks to further disrupt their victims. PLAY primarily targets government agencies, financial institutions, and healthcare providers, exploiting remote access systems to gain entry.
Their use of Cobalt Strike, a penetration testing tool often employed by cybercriminals for lateral movement within networks, has enabled PLAY to effectively compromise large organizations.
Founded: 2022
Base of Operations: Unknown
Notable Activity: Government agency attacks, introduction of triple extortion
Hunters International: The Silent Stalkers
Hunters International, formed from the remnants of Hive ransomware, is a methodical and patient group. Known for infiltrating networks and spending weeks identifying the most valuable data, they only strike when they can ensure maximum damage. This approach has made them highly effective at extorting large ransoms from major multinational corporations.
In 2024, they targeted a global financial institution, stealing sensitive customer data and demanding a $30 million ransom. Their ability to deeply penetrate networks and maintain stealth makes them a significant threat.
Founded: 2023
Base of Operations: Eastern Europe
Notable Activity: $30 million ransom demand, targeting large financial institutions
Akira: The Agile Upstart
Akira is a rapidly rising ransomware group that has gained notoriety for its double extortion tactics, often targeting sectors like healthcare, education, and technology. They exploit remote desktop services (RDP) and VPN vulnerabilities to infiltrate networks and encrypt data.
Founded: 2023
Base of Operations: Eastern Europe
Notable Activity: $42 million in ransom payments from 250 attacks
Meow: The Aggressive Newcomer
Meow ransomware has quickly become one of the fastest-growing ransomware threats since its emergence in 2024. Meow gained attention for its rapid deployment and aggressive use of double extortion tactics, targeting various industries, including technology, healthcare, and retail.
In August 2024, Meow ransomware saw a significant surge in activity, often using automated systems to rapidly infect networks and demand ransoms. Unlike more established groups, Meow employs a highly opportunistic approach, leveraging a wide range of vulnerabilities to execute attacks efficiently. Their advanced encryption techniques and aggressive tactics have earned them a spot among the most dangerous ransomware groups to watch.
Founded: 2024
Base of Operations: Unknown
Notable Activity: Rapid rise in 2024, targeting diverse industries with double extortion
How Primary Protects You
As ransomware gangs become more sophisticated, it’s vital to have a robust security solution in place. Primary’s Secure Enterprise Browser is “Secure by Design” and offers continuous, end-to-end essential protection to safeguard your organization from the most advanced ransomware tactics:
- Real-Time Threat Detection: Identify phishing attempts and abnormal browser activity before they escalate into major breaches, offering real-time alerts that can prevent ransomware attacks before they strike.
- Continuous Authentication: Primary enforces multifactor authentication (MFA) with every request. This approach ensures that any stolen credentials cannot be reused from an unauthorized or unrecognized device. By maintaining device-bound sessions, Primary limits access only to devices registered to authorized users, significantly reducing the risk of credential harvesting attacks.
- Application Integrity: In line with Continuous Authentication, Primary ensures the integrity of every session by validating that the browser accessing sensitive systems is secure. Attackers often exploit vulnerabilities at the endpoint to pivot into critical systems. With the Primary Protector Gateway, only the Primary Browser is authorized at the endpoint to access sensitive data and systems, blocking rogue software and unauthorized applications that could pose malware risks.
- Advanced Data Encryption: Even if attackers breach your system, Primary’s encryption keeps your data safe from theft or exposure.
- AI-Powered Threat Analysis: Leveraging AI-driven insights, Primary continuously monitors browser traffic to detect unusual patterns or anomalies to prevent and neutralize ransomware attacks before they escalate.
For additional resources on ransomware prevention, visit CISA’s Stop Ransomware page.
Ready to Protect Your Business?
To learn more about how Primary can help safeguard your organization from these and other emerging ransomware threat actors, reach out at connect@getprimary.com and schedule a demo of our Secure Enterprise Browser.