Profiling the Top Ransomware Groups

Top 5 Ransomware Groups

RansomHub – The New Boss at the Top

  • RansomHub closed out 2024 at the top, disclosing 736 victims—the highest among all groups. With strong operational discipline and stable leadership, it quickly filled the void left by LockBit and AlphV.
  • Its encryptors are effective, and its leak site language is threatening, but measured. The group appears to have attracted many former affiliates from LockBit, helping to explain the variety and geographic spread of its attacks.
  • As we continue to 2025, RansomHub stands out as the most organized ransomware group in operation.

Play – Quiet Consistency

  • Play emerged quietly in 2022, found its footing in 2023, and made a notable leap in 2024 with 369 disclosed victims.
  • What sets the group apart is its focus on operational execution rather than media theatrics. Victim disclosures often come in waves, designed less to attract attention and more to apply direct pressure on targets.
  • Despite its low profile, Play operates with a solid infrastructure and a well-established affiliate network.

Akira – The Old Fox

  • Launched in 2023, Akira experienced a sharp rise in 2024, disclosing 349 victims. The group, once known for infrequent activity, has since ramped up its operations and maintained a steady pace.
  • As one of the more veteran players in the field, Akira holds a position of strength rooted in experience.

Qilin – The Silent Hunter

  • Qilin first appeared in 2022, but 2024 marked its breakout year, with around 200 victims—156 of them based in the U.S.
  • By targeting healthcare and public service providers like Synnovis, Qilin showed just how impactful its attacks can be.
  • The group disclosed victims consistently throughout the year.
  • Not as loud as Clop or as widespread as RansomHub, but Qilin’s target choices send a clear message: these attacks are deliberate, not random.

Medusa – The Snake’s Head

  • A long-time presence in the scene, Medusa stepped up in late 2024 and began pushing past its own ceiling.
  • They drew attention with a string of high-profile victims and remain focused on financial gain, offering extensions for ransom deadlines.
  • Loud, but behind the noise lies a group advancing with methodical precision.

Rising Ransomware Stars

Lynx

First spotted in mid-July, Lynx has quickly disclosed nearly 180 victims. The consistency of their postings is notable. Their rapid rise suggests a low-profile, yet highly capable actor is emerging.

SafePay

SafePay entered the scene in late November and broke its silence with 122 victims. The group keeps a low profile, operating with focus. Its primary targets lie within the financial sector, following a calm but direct strategy.

Kill Security

Active for about a year, Kill Security has recently stood out with a steady flow of victim disclosures and the promotion of its RaaS model and additional services. Notably, the group has launched over 40 attacks targeting organizations in India—highlighting a clear regional focus.

Fighting back is crucial. Learn about the legal and operational responses to ransomware.

PREVIOUS
NEXT