Top Ransomware in 2024

The ransomware landscape in 2024 has witnessed significant shifts and developments. Here’s an overview of the top ransomware groups and trends observed this year:

LockBit’s Downfall

LockBit, once the most formidable ransomware threat, faced a major setback in February 2024. An international law enforcement operation, codenamed “Operation Cronos,” led to the arrest of at least three LockBit associates in Poland and Ukraine. Subsequently, the LockBit dark web site was seized, displaying a banner from the UK’s National Crime Agency, FBI, and the international task force. This disruption dealt a severe blow to LockBit’s operations, causing a temporary halt in their activities.

ALPHV’s Resurgence and Decline

ALPHV, also known as BlackCat, was another prominent ransomware group that faced challenges in 2024. In December 2023, the FBI announced a successful takedown of ALPHV’s infrastructure, seizing control of one of their main sites and developing a decryption tool to aid victims. This action significantly impacted ALPHV’s operations, leading to a 53% decrease in their attacks from Q4 2023 to Q1 2024.However, ALPHV resurfaced in early 2024, employing new tactics like using the Rust programming language to bypass security controls. Despite their resurgence, ALPHV’s dominance waned as smaller groups gained momentum.

Emergence of Smaller Groups

While the established ransomware groups faced setbacks, smaller groups seized the opportunity to rise in prominence. Groups like Play, RansomHub, Dark Vault, Ra Group, and Inc Ransom have ranked high in victim volume as of April 2024.Play, in particular, has taken the top spot for the most active ransomware group in April, surpassing LockBit and ALPHV. This shift highlights the dynamic nature of the ransomware landscape, where smaller groups can quickly gain traction and pose significant threats.

Decline in Ransom Payments

One notable trend observed in 2024 is the decrease in ransom payments made by victims. In Q4 2023, the proportion of ransomware victims complying with ransom demands plummeted to a historic low of 29%, according to data from top ransomware negotiation firm Coveware. This decline can be attributed to several factors, including enhanced preparedness among organizations, skepticism towards cybercriminals’ assurances, and legal constraints in regions where ransom payments are prohibited.Additionally, the average ransom payment amount has decreased, with Q4 2023 seeing an average payment of $568,705, marking a 33% decrease from the preceding quarter.

Healthcare Sector Remains a Prime Target

The healthcare sector continues to be a prime target for ransomware groups in 2024. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has tracked over 530 attacks against the U.S. healthcare sector in the past six months, with nearly half of them being ransomware-related. HC3 has released advisories on the top 10 ransomware groups targeting the healthcare sector and recommended actions to protect against advanced social engineering attacks targeting IT help desks.


The ransomware landscape in 2024 has been marked by the downfall of established groups like LockBit and ALPHV, the rise of smaller but formidable groups, and a decline in ransom payments made by victims. Law enforcement efforts have disrupted major ransomware operations, but the threat remains persistent as new groups emerge and adapt their tactics. Organizations must remain vigilant and prioritize robust cybersecurity measures to mitigate the ever-evolving ransomware risks