Steam the Webinar on demand HERE

As we look back on the cybersecurity landscape of 2024, it’s clear that the world of digital threats continues to evolve at an alarming pace in parallel with AI. This year has seen ransomware groups adapt and innovate, pushing the boundaries of their malicious capabilities and evasiveness from law enforcement. In our annual “Nastiest Malware” report, now in its sixth year, we’ve observed a steady increase in both the number and sophistication of malware attacks. The ransomware sector, in particular, has witnessed the emergence of “business models,” with ransomware-as-a-service (RaaS) dominating the scene. Elite ransomware authors have concluded that profit sharing and risk mitigation are key contributors to their consistent success and evasion of authorities.

The saga of LockBit in 2024 exemplifies the resilience and adaptability of these cybercriminal groups. Despite a major law enforcement operation in February, dubbed “Operation Cronos,” which saw the FBI and international partners seize LockBit’s infrastructure and obtain over 7,000 decryption keys, the group managed to resurface within days. This cat-and-mouse game between LockBit and law enforcement agencies has continued throughout the year, with the group’s leader even taunting the FBI, claiming that their efforts only make LockBit stronger. The LockBit story underscores a crucial point: while law enforcement operations can disrupt cybercriminal activities, they often fall short of delivering a knockout blow. These groups have become adept at rebuilding their infrastructure, rebranding when necessary, and continuing their operations with minimal downtime.

As we detail our analysis of the six most notorious ransomware and malware groups that have dominated headlines in 2024, it’s important to note that the threat landscape extends beyond just these actors. The rise of AI-driven phishing and social engineering, increased targeting of critical infrastructure, and the emergence of more sophisticated fileless malware are all trends that have shaped the cybersecurity battlefield this year.

In this report, we’ll explore how these groups have evolved, their most significant attacks, and the broader implications for cybersecurity. We’ll also provide updated survival tips for both businesses and individual users, reflecting the ever-changing nature of these threats.

Ransomware

Over the past decade, ransomware has established itself as the pinnacle of cybercriminal exploits. It is the most successful and lucrative avenue for monetizing a breach of a victim. Every year we see more and more data stolen and higher ransom demands dominating headlines. Each ransomware group on our Nastiest Malware list utilizes the double-extortion method where the data stolen is leveraged for leak potential on dark web leak sites. The impending damage to brand and reputation that comes with the public disclosure of a breach are massive threats to companies of any size. Not to mention the impending regulatory fines that come with the breach. This strategy has shown it’s resilience over the past few years since it became mainstream and it seems to be as robust as ever. Let’s take a look at what the payment numbers look like so far in 2024.

Source: Coveware

We’ve seen a drop-off from the highs last year – fueled by Cl0p ransomware group making over $100 Million in a few months in late 2023. But when we zoom out you can see that it will be going up over time. This time next year we anticipate the amounts to be higher than what they are now. Some of this will be fueled by inflation, some will be an increase in effectiveness in tactics, and some by the anticipated 2025 “bull run” price spike in crypto – the only payment method these criminals accept.

Looking at the payment resolution rates – meaning the percentage of people that end up paying the ransom, we can see a slight increase during this year. Zooming out the trend does indicate an overall decline which is good news and reflects that the industry is taking serious precautions in their security posture. We expect that this slight increase is only temporary and will continue the trend of decreasing for next year. 

One nasty change this year is the increase of ransomware attacks on smaller sized businesses. The market share of ransomware attacks on business with under 100 employees is now almost 40%. While the media headlines of record breaking ransoms against fortune 500 companies will always take center stage, the small to mid market has always been the bread and butter for cybercriminals. The amount of effort and return on investment of time is too good for criminals not to be attracted to these easier and weaker targets. Now let’s take a look at this year’s Nastiest Malware.

LockBit: The Resilient Threat

One of the most notorious ransomware groups, LockBit, faced significant challenges and disruptions in 2024 due to coordinated international law enforcement efforts. The year began with “Operation Cronos,” a major strike against LockBit’s infrastructure in February. Led by the UK’s National Crime Agency (NCA) and involving agencies from multiple countries, including the FBI, this operation resulted in the seizure of LockBit’s leak sites and the exposure of information about nearly 200 affiliates. A pivotal moment came when the FBI obtained over 7,000 decryption keys, allowing victims to unlock their encrypted data for free. This dealt a severe blow to LockBit’s operations and credibility – remember that most of the success and money is from the affiliates that choose thier ransomware payload over another’s group so credibility and trust are paramount in this criminals scene.

Despite these setbacks, LockBit attempted to maintain its operations, quickly adapting by changing encryption methods and shifting its leak site strategy. However, law enforcement continued to apply pressure throughout the year. In May, authorities revealed the identity of LockBit’s alleged mastermind, Dmitry Yuryevich Khoroshev, and offered a $10 Million reward for information leading to his arrest. The culmination of these efforts came in October when law enforcement agencies announced additional arrests and disruptions. Four individuals connected to LockBit were arrested, including a major developer and two affiliates. Notably, Aleksandr Ryzhenkov, linked to both LockBit and the infamous Evil Corp group, was unmasked and sanctioned. These actions, part of the ongoing Operation Cronos, significantly impacted LockBit’s operations, leading to a noticeable decrease in their attack frequency and causing distrust within the cybercriminal community.

Despite LockBit’s attempts to maintain its fearsome reputation, including false claims of attacks, the group’s activities were impacted throughout 2024, marking a significant victory for global cybersecurity efforts. However, LockBit is still a major player in the RaaS scene and the leader and his affiliates are still making millions in ransoms. LockBit has proven its resilience in the face of law enforcement efforts, presenting the group’s adaptability and persistence. The leader has boasted that he loves the FBI and that they only make his group stronger, and he wants to hit one million businesses before retirement. This is a stark contrast from most ransomware groups when hit by law enforcement as they will quickly retire the brand and repivot to another. This RaaS has been on the Nastiest Malware for over three years maintaining its status as a top contender in the Ransomware scene in 2024. 

Akira: The Healthcare Menace

The Akira ransomware group was first observed in March 2023 and immediately became one of the most formidable threats in the threat landscape. By January 2024, the group had impacted over 250 organizations and claimed approximately $42 million in ransomware proceeds. Akira’s rapid rise to the top was marked by its versatility and constant evolution of tactics. In 2024, Akira expanded its capabilities significantly. Initially focused on Windows systems, the group deployed a Linux variant targeting VMware ESXi virtual machines in April. Throughout the year, Akira demonstrated a pattern of swift adaptation to new vulnerabilities. They actively exploited several critical vulnerabilities, including SonicWall SonicOS, Cisco Adaptive Security Appliance (ASA), and FortiClientEMS software. These exploits allowed Akira to gain initial access, escalate privileges, and move laterally within compromised networks.

A notable shift in Akira’s tactics occurred in early 2024 when they appeared to sideline encryption tactics, focusing primarily on data exfiltration. However, by September 2024, there were indications of a potential return to previous tactics using Windows and Linux payloads written in C++. This adaptability was further evidenced in a June 2024 attack on a Latin American airline, where Akira operators exploited vulnerable services to  deploy ransomware and exfiltrate data.

Akira’s victims spanned a wide range of sectors, with a particular focus on manufacturing, professional services, healthcare, and critical infrastructure. The group’s success was attributed to its constant evolution, sophisticated attack methods, and the employment of double-extortion tactics. As of 2024, Akira had solidified its position as one of the most prevalent and dangerous ransomware operations in the cybersecurity threat landscape.

RansomHub: The High-Profile Attacker

RansomHub emerged as a formidable new player in the ransomware landscape in February 2024, quickly establishing itself as one of the most prolific and dangerous ransomware groups. Operating on a RaaS model, RansomHub attracted high-profile affiliates from other prominent groups like BlackCat/ALPHV following their FBI takedown in December 2023. This is likely due to its attractive payment structure where affiliates receive up to 90% of the ransom – compared to around 30-50% with other groups.

By August 2024, RansomHub had breached at least 210 victims across various critical U.S. infrastructure sectors, including healthcare, government services, financial services, and critical manufacturing. Notable attacks included breaches of Planned Parenthood, the Rite Aid drugstore chain, Christie’s auction house, and Frontier Communications, with the latter resulting in the exposure of personal information of over 750,000 customers. RansomHub’s tactics evolved throughout the year, employing sophisticated methods such as exploiting various software vulnerabilities, using intermittent encryption to speed up attacks, and leveraging double extortion techniques. The group’s data leak site became a significant threat, with stolen data being published for 3-90 days if ransom demands were not met.

The attack on Planned Parenthood not only demonstrated RansomHub’s capability to breach highly sensitive networks but also highlighted their willingness to target organizations with high reputational risks. This sparked widespread concern and discussions on cybersecurity measures within nonprofit organizations. By October 2024, RansomHub had overtaken LockBit as the most prolific ransomware group in terms of claimed successful attacks, solidifying its position as a major threat in the cybersecurity landscape.

Dark Angels: The Whaling Experts

Dark Angels emerged as one of the most formidable ransomware threats in 2024, gaining notoriety for their highly targeted “big game hunting” approach and record-breaking ransom demands. The group, which has been active since 2022, made headlines in early 2024 when they reportedly received a staggering $75 million ransom payment from a Fortune 50 company. This payment would be nearly double the previous record of $40 million paid by CNA Financial in 2021.The group’s modus operandi involves targeting a small number of high-value organizations, often exfiltrating massive amounts of data (typically 10-100 terabytes for large businesses) before considering encryption. This strategy allows Dark Angels to maintain a low profile while maximizing their profits.

In 2024, they continued to evolve their tactics, switching from a Babuk-ESXi-based ransomware to a variant of Ragnar Locker. Notable attacks attributed to Dark Angels in 2024 included a breach of a high-profile media company, where they stole proprietary information and engaged in lengthy negotiations before the ransom was paid. The group’s data leak site, named “Dunghill Leak,” is used to pressure victims into paying, though the group often prefers to avoid public attention. Dark Angels’ success in 2024, particularly the record-breaking ransom payment, has raised concerns that their tactics may be emulated by other cybercriminal groups, potentially leading to an increase in highly targeted, high-value ransomware attacks across various sectors.

RedLine: The Credential Thief

Not all of our Nastiest Malware are ransomware groups and RedLine Stealer has become one of the most prominent threats in 2024, particularly due to its capability to steal credentials and sensitive data across a wide array of sectors. Throughout 2024, RedLine demonstrated its effectiveness by stealing over 170 million passwords in just a six-month period, highlighting its massive impact. The malware’s capabilities expanded to include stealing not only passwords but also credit card details, cryptocurrency wallets, and browser data. Its adaptability and frequent updates allowed it to evade many security measures, making it a persistent threat across various sectors.

RedLine’s distribution methods remained diverse, with phishing emails and malicious websites being the primary vectors. The malware’s operators continued to refine their tactics, often disguising RedLine as legitimate software updates or enticing downloads. This approach allowed them to bypass traditional security measures and infect a large number of systems. The impact of RedLine extended beyond individual users to affect major corporations and critical infrastructure. Several high-profile breaches attributed to RedLine in 2024 resulted in significant financial losses and reputational damage for the affected organizations. 

Breaking news!
In late October 2024 – RedLine suffered a takedown from a coordinated international law enforcement operation dubbed “Operation Magnus.” Led by the Dutch National Police and supported by agencies including the FBI, UK’s National Crime Agency, the operation successfully disrupted RedLine’s infrastructure and operations. The authorities gained full access to RedLine’s servers, obtaining crucial data including usernames, passwords, IP addresses, and even the source code of the malware. This breakthrough allowed law enforcement to retrieve a database of thousands of RedLine clients, paving the way for further investigations and potential legal actions against cybercriminals who used the malware. The U.S. Department of Justice charged Maxim Rudometov, a Russian national, as the suspected developer and leader of the RedLine malware operation. If convicted, Rudometov faces up to 35 years in prison on charges including access device fraud, conspiracy to commit computer intrusion, and money laundering.

Only time will tell if this seizure of assets is enough to shutdown the operations of RedLine and prevent them from bouncing back like we’ve seen time and time again from other resilient groups on this list. 

Play Ransomware: The Versatile Threat

Play ransomware continued to be a significant threat in the cybersecurity landscape throughout 2024. The group, which first appeared in 2022, maintained its position as one of the most active ransomware operations, consistently ranking among the top threat actors. In 2024 a notable shift occurred when the group transitioned from its previous double-extortion tactics to specifically targeting ESXi environments. This change in focus allowed Play to exploit vulnerabilities in virtual machine infrastructures, increasing the impact of their attacks.

A significant attack attributed to Play Ransomware targeted a major utility provider, resulting in widespread service disruptions and raising concerns about critical infrastructure vulnerabilities. The attack began with the exploitation of unpatched FortiOS vulnerabilities in the company’s VPN infrastructure, allowing initial access to the network. From there, the attackers leveraged exposed RDP services to move laterally within the network, eventually gaining the access needed to deploy their ransomware payload.

The group’s use of intermittent encryption continued to be a defining characteristic, allowing them to evade many endpoint security solutions while still rendering files inaccessible to victims. Play’s attacks were particularly damaging in the IT services sector, suggesting a strategic focus on organizations that could lead to supply chain impacts.

AI-Driven Phishing and Social Engineering: 

• The use of AI and machine learning in crafting phishing emails has made these lures more convincing and harder to detect. Cybercriminals are leveraging AI to personalize attacks, increasing their success rates 

Targeting of Critical Infrastructure: 

• There has been a noticeable increase in attacks targeting critical infrastructure, including utilities and healthcare sectors, raising concerns about national security and public safety 

Fileless Malware: 

• Fileless attacks aren’t new, and neither is bypassing security protections but there has been an increase in harder to detect kill chains, more sophisticated attacks, more complex persistence, that are more effective at bypassing security than ever.   

New Malware Language: 

• Malware written in Golang continues to trend in both scale and complexity 

Businesses: 

• Lock down Remote Desktop Protocols (RDP) – this infiltration tactic has been around for a while, but it’s still one of the top infection vectors! 
• Enhance Employee Training: Go beyond basic awareness. Implement regular, interactive cybersecurity simulations and scenario-based training. 
• PATCH OR DIE! 
• Implement a Multi-layered security and defense in depth posture.  
• Adopt a Comprehensive Backup Strategy: Implement the 3-2-1 backup rule with immutable backups to protect against ransomware attacks. 
• Develop and Test Incident Response Plans: Create, regularly update, and practice cybersecurity incident response plans. 

Individual Users: 

• Use Password Managers: Employ a reputable password manager to create and store strong, unique passwords for all accounts – consider passphrases. 
• Enable Multi-Factor Authentication (MFA): Activate MFA on all accounts that offer it, preferably using authenticator apps or hardware keys. 
• Keep Software Updated: Enable automatic updates for your operating system, applications, and security software. 
• Be Cautious with Smart Devices: Secure your IoT devices by changing default passwords and keeping firmware updated. 
• Practice Safe Social Media: Be cautious about the personal information you share on social media platforms. 
• Use Virtual Private Networks (VPNs): Employ a reliable VPN service, especially when using public Wi-Fi networks. 

Download the infographic HERE

In today’s world, both small businesses and everyday consumers face a growing number of cyber threats. From ransomware attacks to phishing scams, hackers are becoming more sophisticated. OpenText’s 2024 Threat Hunter Perspective sheds light on what’s coming next and how to protect yourself. Whether you’re running a small business or managing personal data at home, here’s what you need to know.

Nation-states are teaming up with cybercrime gangs

Cybercrime is no longer just about lone hackers. Now, nation-states like Russia and China are working with organized cybercrime groups to launch highly targeted attacks on businesses, governments, and even individuals.

• Russia has been particularly active, coordinating with groups like Killnet to attack critical infrastructure in countries supporting Ukraine.
• China is focusing on its political goals in the South China Sea, often collaborating with cybercrime rings like Storm-0558.

For SMBs: Be aware that even smaller businesses can be collateral damage in nation-state cyber wars, especially if you’re part of a critical supply chain. Strengthen your security measures to avoid becoming an easy target.

For consumers: Stay alert to potential phishing attacks or scams related to global events. Hackers often exploit moments of political tension or publicized aid efforts.

Timing is everything for hackers

One of the key insights from the report is how hackers choose the most disruptive moments to strike. Whether it’s during an election, the holiday season, a big sporting event, or a major business transaction, cybercriminals wait for the right moment to maximize damage.

For example, businesses supporting Ukraine saw a significant increase in attacks within 24-48 hours of announcing aid. This shows that hackers pay attention to the news—and use it to time their attacks for maximum chaos.

For SMBs: Be especially vigilant during peak business times or important events, like product launches, financial closings, or holiday seasons. These are moments when your business may be more vulnerable due to distractions or heavy workloads.

For consumers: During holidays or big events (like the Super Bowl or Black Friday), be cautious of unexpected emails, texts, or promotions. Scammers love to take advantage of busy times to trick people into clicking malicious links.

Top cyber threats you need to know about in 2024

The OpenText report highlights some of the most dangerous cyber threats we’ll be facing this year. Whether you run a small business or manage your own personal data, these threats are ones to watch out for:

• Killnet and Storm0558 (nation-state-linked groups)
• Akira and Black Basta (ransomware gangs targeting businesses of all sizes)

These groups are known for launching ransomware attacks, where they lock down your systems or steal data, demanding a hefty ransom to get it back.

For SMBs: Invest in ransomware prevention and always back up your data. Having regular backups means you can recover without having to pay a ransom.

For consumers: Keep personal backups of important files (photos, documents, etc.) on an external drive or in the cloud. That way, even if your devices get infected, you won’t lose everything.

What to expect this fall: U.S. election and beyond

With the U.S. presidential election in fall 2024, the cyber landscape is expected to get even more dangerous. Cybercriminals and nation-states alike will likely target key services and use misinformation to influence the public.

In addition, the report predicts an increase in attacks on critical infrastructure—things like power grids, water systems, and hospitals—throughout 2024, as part of the growing cyber arms race.

For SMBs: Be prepared for increased cyber activity around major political events, as hackers may use the chaos to launch broader attacks. Ensure your cybersecurity measures are updated and your employees are trained to spot phishing attempts.

For consumers: Be skeptical of political content online, especially as we approach the election. Deepfake videos and fake news are expected to rise, making it harder to tell fact from fiction.

AI: Both a help and a threat

AI is playing a bigger role in cybersecurity, but it’s also giving hackers new tools. Cybercriminals are using AI to create more convincing scams, such as deepfake videos and phishing emails that are harder to detect. But at the same time, AI can help businesses defend themselves by detecting threats faster and automating security responses.

For SMBs: AI tools can help boost your cybersecurity efforts by automating threat detection, but remember that AI is not a fix-all solution. Human oversight is still crucial to ensure your defenses are robust.

For consumers: Be wary of AI-driven scams. If you receive a message, video, or email that seems suspicious—even if it looks real—double-check before sharing any information or clicking on a link.

Practical security tips for SMBs and consumers

The report emphasizes simple yet effective security measures that can protect both businesses and individuals from cyber threats.

• Keep software updated: Whether you’re running a business or just protecting personal devices, always update your software and security tools. Patches often fix vulnerabilities that hackers could exploit.
• Use strong, unique passwords: Weak or reused passwords are an easy way in for cybercriminals. Use a password manager to create and store strong passwords.
• Enable two-factor authentication (MFA): For added protection, enable two-factor authentication on your accounts. This ensures that even if a hacker gets your password, they can’t access your account without a second step.
• Train employees on security basics: If you run a business, make sure your team is aware of common threats like phishing emails and knows how to report suspicious activity.

For SMBs: Consider a cybersecurity audit to identify any weaknesses in your system, and make sure your backup plans are up to date. Cyber insurance might also be worth looking into as an additional safety net.

For consumers: Keep an eye out for phishing scams, especially during high-risk times like holidays or after major news events. When in doubt, verify the source before clicking.

Download your copy of OpenText’s 2024 Threat Hunter Perspective today

Webroot® once again outperformed competitors in its latest round of testing by the performance benchmarking firm PassMark for February, 2023. In taking the highest score in the category, Webroot beat out competitors including BitDefender™, McAfee®, Norton, and ESET® security products.

PassMark® Software Party, Ltd. specializes in “the development of high quality performance benchmarking solutions as well as providing expert independent IT consultancy services to clients ranging from government organizations to major IT heavyweights.”

For this report, the company conducted objective testing of nine endpoint security products, including Webroot® SecureAnywhere Internet Security with Antivirus. Tests measured efficacy and performance in 15 categories including:

1. Scan Time
2. Scheduled scan time
3. Installation size
4. Installation time
5. Registry Key added
6. Boot time
7. Use interface launch time
8. Chrome Launch Time
9. Memory Usage during System Idle
10. Memory Usage during Initial Scan
11. Browse time
12. File Copy, Move and Delete
13. File Format Conversion
14. File Compression and Decompression
15. File Write, Open and Close

The table below shows overall scores achieved by the tested products, with a score of 100 being an ideal product achieving the highest possible score in each of the selected test metrics. Antivirus products have been ranked by their overall scores:

The overall scores above are only part of the story. Here’s some additional findings:

• Security scans 6x faster than average competitor
• 21x faster to install than average competitor
• Taking up 50x less space than average competitor (on hard drive)
• Uses 4 times less memory than average competitor (RAM, during system idle and initial scan)
• Fastest PC boot time compared with competitors

Not only did Webroot ranked first overall, but it also did in 7 specific benchmarks:

• Scheduled scan time
• Installation size
• Installation time
• Registry Key added
• Boot time
• Memory Usage during Initial Scan
• File Write, Open and Close

Why is this important?

Enjoying your digital life to the fullest means you can stay safe online and leverage the full power of your devices and your connections without security getting in the way. Choosing a comprehensive Internet Security solution that has little to no impact on your device’s performance helps you ensures you can work, shop, bank, play, connect, stream online without worry!

For more, check out the PassMark report.

In recognition of its profound impact, July 16 is celebrated as Artificial Intelligence (AI) Appreciation Day. AI is one of the defining technologies of our era, and its adoption is skyrocketing. People are using AI tools like OpenAI’s ChatGPT and Microsoft Copilot for a wide range of personal applications. Indeed, AI is integrated into various aspects of our daily lives — from AI-powered apps that assist with language translation and personal finance management to tools that help with creative writing and music composition.

However, with the rapid growth of AI comes the pressing need to maintain privacy in our tech-driven world. As these intelligent systems become more capable and ubiquitous, they also collect vast amounts of data. Staying informed about the privacy practices of the AI tools you use and taking proactive steps to safeguard your information is crucial in navigating this new digital landscape.

Here are some tips to help you keep your data private in our AI-enabled era:

1. Understand the technology
   Imagine stepping into a futuristic world where robots and computers are your helpful companions. That’s our world today with AI! But as with any new tech, it’s crucial to know how it works. AI is evolving fast, so take some time to understand the basics. Knowing how AI algorithms function and the specific types of data they use is key to understanding how these systems make decisions.
2. Know the vendor’s privacy practices
   Think of using an AI tool like choosing a new roommate. You wouldn’t want to live with someone who’s careless with your belongings, right? The same goes for your data privacy. Before you start using any AI tool, look into how the company handles your information. Are they safeguarding it, or selling it off to the highest bidder? A little research can help you find AI tools that respect your privacy.
3. Avoid inputting private data
   Avoid sharing sensitive information like your address and phone number when interacting with AI tools. While it’s important to be cautious, remember that certain types of private data, such as preferences or non-sensitive information, can be safely shared with AI. Just as you wouldn’t divulge all your secrets to a new acquaintance, exercise discretion in what you share to ensure your privacy remains protected.
4. Use strong passwords
   Think of your passwords as the locks on your doors. Weak locks are easy to pick, while strong ones keep intruders out. Create strong, unique passwords for your accounts, and use a reputable password manager like Webroot to keep track of them. This way, you won’t have to remember each one, and you can rest easy knowing your accounts are secure.
5. Keep software up-to-date
   Imagine driving a car with outdated brakes — scary, right? Using outdated software is just as risky. Keep your AI-powered devices and services up-to-date. Software updates often include security patches and bug fixes that keep your data safe and your devices running smoothly.
6. Protect your devices
   Your devices are like digital treasure chests, full of valuable information. Unfortunately, they’re also targets for cyber-attacks. AI-powered cyber threats are common and can wreak havoc on your systems. So strong antivirus protection is essential. Invest in a powerful solution like Webroot to keep the bad guys out and your devices safe.
7. Use two-factor authentication
   Think of two-factor authentication (2FA) as a double lock on your front door. It adds an extra layer of security by requiring a second form of verification, like a text message or an app notification, along with your password. Enabling 2FA on your accounts makes it much harder for someone to break in, even if they know your password.

By following these tips, you can enjoy the wonders of AI without sacrificing your privacy. Stay informed, stay cautious, and stay protected! The future is bright with AI — just make sure you’re navigating it safely.

Learn more about data protection.