COMMENTARY: Five ransomware groups: LockBit, Play, BlackBasta, Akira, and 8Base, have been responsible for 40.54% of ransomware attacks in 2024.
As we close out the year and head towards 2025, security teams must stay on the pulse of the evolving strategies of these actors and prioritize defenses accordingly. The prominence of these groups signals a broader trend that ransomware attacks are becoming more organized, sophisticated, and intertwined with geopolitical motivations.
Defenders must anticipate that these groups will refine their tactics, so teams must also advance their cybersecurity measures. It’s important that security pros gain a deeper understanding of the characteristics of the five groups, the broader implications of the threats, and learn ways to mitigate and stay ahead.
Here’s an analysis based on our recent threat intelligence report:
LockBit: The strategic powerhouse
LockBit remains one of the most consistent ransomware actors in the world. Known for its Ransomware-as-a-Service (RaaS) model, LockBit’s new variant, LockBit Green, incorporates code from Conti, enhancing its encryption and extortion capabilities.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The group’s ability to release variants with advanced cryptographic techniques and adapt quickly to new targets indicates a high degree of organization. With LockBit’s operations spanning both Windows and Linux environments, it’s clear that ransomware groups are increasingly focusing on cross-platform attacks, which let them target broader industries, including critical infrastructure.
To defend against LockBit, prioritize security measures for both Windows and Linux systems. This includes implementing segmented backups, strengthening access control mechanisms, and ensuring rapid detection of unusual encryption activities.
Play: The calculated opportunist
Play ransomware has surged in activity, primarily relying on data exfiltration and extortion prior to encrypting systems. The group’s exploitation of vulnerabilities in unpatched systems, often through sophisticated phishing campaigns, positions it as a serious threat to organizations that rely on perimeter defenses. Play’s approach indicates a shift in ransomware actors focusing on pre-encryption exfiltration, allowing them to gain leverage even before systems are locked. This approach signifies a shift in ransomware tactics, where pre-encryption data theft amplifies extortion efforts, creating a dual threat to data privacy and business continuity.
Oganizations should focus on advanced endpoint detection and response (EDR) systems that can identify data exfiltration attempts before ransomware deployment. Regularly patching vulnerabilities and enhancing employee awareness of phishing attacks are also essential steps.
BlackBasta: The relentless disruptor
Since its emergence, BlackBasta has swiftly gained traction given its targeting of high-impact industries such as healthcare, critical infrastructure, and finance. This group uses a dual-extortion model, where data theft gets leveraged alongside encryption to pressure victims into paying. The focus on industries critical to national security suggests that BlackBasta may evolve from purely financial motivations to more strategic targeting, potentially with state actors in mind. This highlights an important convergence of cybercrime and national security, which could have far-reaching consequences for global stability.
Security teams need to strengthen email security products and implement multi-factor authentication (MFA) to guard against initial intrusions. Conduct regular security assessments to identify and address weaknesses in network segmentation and backup strategies.
Akira: The stealthy newcomer
Akira has quietly emerged as a notable threat actor, specializing in targeting small to medium-sized enterprises (SMEs) using compromised RDP credentials to infiltrate networks. Akira's focus on SMEs suggests a strategic exploitation of resource-limited organizations that may not have the same cybersecurity defenses as larger enterprises. This approach highlights a critical intelligence concern as threat actors increasingly focus on supply chains, typically hosting weaker security defenses, but serve as valuable entry points to larger, more prominent targets.
Teams should limit RDP access to critical systems and enforce the use of strong credentials, restricting access to trusted IPs. Implement regular monitoring for unusual login attempts, especially for SMEs, which are often seen as easier targets.
8Base: The fast-moving aggressor
While relatively new, 8Base has emerged as a fast-moving and aggressive ransomware group. The group’s "spray and pray" technique, where it attacks numerous organizations in quick succession, often succeeds because of the sheer volume of attacks. As actors like 8Base become more opportunistic, a wider range of organizations face increased risk. They can even exploit minor vulnerabilities, making it harder for defenders to predict and prioritize attacks, and requiring all sectors to strengthen their defenses. The reliance on commodity malware and open-source tools suggests that the barrier to entry for ransomware attacks is lowering, with significant consequences for global cybersecurity.
Organizations should stay updated on security configurations for commonly exploited software. Ensure that defenses are optimized to detect and neutralize the commodity malware and open-source tools used by such groups. Constant vigilance and proactive security testing are essential to reducing the likelihood of a successful intrusion.
The dominance of these five ransomware groups in early 2024 represents a clear call-to-action for cybersecurity teams. Each group has developed specialized tactics, ranging from LockBit’s cross-platform adaptability to Play’s data-centric extortion and 8Base’s rapid, opportunistic assaults, all of which require a multifaceted defensive strategy. Here are four important priorities for security teams:
- Cross-platform defense: Secure both Windows and Linux systems, especially against LockBit and Play variants.
- Advanced endpoint detection: Enhance EDR capabilities to detect data exfiltration and ransomware deployment early.
- Patch management: Quickly address vulnerabilities, particularly in remote access systems like RDPs and VPNs.
- Supply chain protection: Don’t overlook small and medium-sized enterprises and business partners, which can serve as critical entry-points for larger attacks.
As ransomware tactics continue to evolve, defenses must evolve alongside them. The intelligence we’ve gathered from these ransomware groups highlights the immediate need for cybersecurity enhancements, and also reveals broader trends that require collaboration between private companies and government intelligence agencies to safeguard national security.
Callie Guenther, senior manager, cyber threat research, Critical Start
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
