Operation Cronos, a Europol-led coalition of law enforcement agencies from 10 countries, announced in February that it had disrupted LockBit — one of the most prolific ransomware gangs in the world — at “every level” of its operations. Being responsible for 25% to 33% of all ransomware attacks in 2023, LockBit had become target No. 1. However, just a week after Operation Cronos' takedown, the gang was relaunched — and continued to target organizations.
The case of LockBit’s rise, fall, and resurrection embodies the state of ransomware in 2024 — and teaches important lessons for what to expect on the threat landscape in 2025. But LockBit isn’t the only successful ransomware player. In the past year alone, at least 24 ransomware gangs were targeting businesses, health care facilities, municipalities, and other critical entities globally.
Here are the biggest ransomware threats of 2024, how they operate — and what lessons your SecOps team can adopt to stay one step ahead of these threat actors in 2025.
[ Get RL's Essential Guide: Software Supply Chain Security for Dummies ]
LockBit rises from the ashes
LockBit's resurrection so soon after the months-long Operation Cronos effort to neutralize it is frustrating — but not surprising. While the coalition managed to take control of the gang’s technical infrastructure and leak site, arrest two of the group’s members, freeze more than 200 related cryptocurrency accounts, and take down 34 servers, LockBit never surrendered. Its leader wrote in a letter posted at the time that the gang's backup systems remained intact.
Ashlee Benge, director of threat intelligence for ReversingLabs, said the odds overwhelmingly favor ransomware gangs over law enforcement.
“Defenders and law enforcement need to be right 100% of the time. … it’s much easier to be a threat actor because you only have to be right one time out of potentially thousands of attack attempts.”
–Ashlee Benge
Conti, a once heavily active ransomware gang that extorted $180 million from ransom payments in 2021 alone, is another example of the difficulty of truly quashing ransomware gangs. Conti first met with trouble when it pledged support for Russia’s invasion of Ukraine in February 2022. This led to an unknown source leaking the gang’s private messages and more than 100,000 files from Conti’s operations on the social media site then known as Twitter and now as X. The gang was set back even further in August 2023, when law enforcement from around the globe worked together to take down the Qakbot botnet, which was used by Conti and other ransomware-as-a-service (RaaS) gangs to carry out their attacks.
In 2024, however, Conti had a new persona, Black Basta. It was targeting the auto industry and a labor union and then shifted gears in August to develop new custom tools and initial access techniques. That allowed the gang to operate without phishing or the use of the Qakbot botnet.
As for LockBit in 2024, researchers discovered in April that the gang had used stolen credentials and a new variant of the LockBit 3.0 builder to target an unnamed entity in West Africa. Then, in May, LockBit claimed responsibility for the ransomware attack on the city of Wichita, Kansas. That next month, the gang targeted Evolve Bank in an attack that resulted in a leak of the organization’s data onto the dark web.
It's Whac-A-Mole, said ReversingLabs' Benge said. “You can whack one down, but three more come up, and you still have to deal with those,” she said.
Ransomware gangs thrive on the profits
One key reason ransomware attacks did not slow their pace in 2024 is that their malicious activities can be quite profitable. In the first half of 2024, ransomware victims paid an average of $5.2 million in demands, researchers at Comparitech have reported. One Fortune 50 company broke a record by paying cyberattackers $75 million – greatly exceeding any other confirmed ransom payment in history.
“Ransomware is interesting because, even though there are changes, I would say it’s also in a very steady state. It’s obviously profitable, or people wouldn’t be doing that type of crime.”
–Ashlee Benge
One of the biggest ransomware cases of 2024, an attack on the automotive software solutions company CDK, resulted in major disruptions within the auto industry’s supply chain that forced auto dealers to switch to paper tracking in order to conduct business. The attack was attributed to the BlackSuit ransomware gang, which demanded millions of dollars from CDK to restore the software company’s systems. Despite the major repercussions for the automotive sales supply chain, this particular event was indicative of ransomware gangs’ focus on return on investment.
In an effort to gain greater profits, ransomware gangs are moving toward targeting key parts of the software supply chain, such as popular commercial products or open-source repositories, to greatly increase the attack’s impact on victims, Benge said. In 2025, enterprises will need to up their software assurance efforts — which has proved to be challenging, given the current state of application security tools.
“It can be more difficult to detect, because software supply chain security is not really an area that has been well hashed out.”
—Ashlee Benge
One lesson is clear: Changes are needed in 2025
As a result of law enforcement's gaps with the capabilities and opportunities that ransomware gangs have, enterprises must start proactively addressing such threats. "Taking action only when you’ve already been breached isn’t enough. But that’s expensive for organizations with limited resources to pull off," Benge said.
More likely than not, ransomware gangs are well organized, well funded, and are able to recruit talent that will maintain the organization’s infrastructure – even in the wake of a setback. That means large, multinational corporations that are responsible for maintaining supply chains and critical infrastructure need to outmatch a ransomware gang’s financial investments, Benge said.
“Corporations have the financial resources to do something about ransomware, unlike law enforcement.”
–Ashlee Benge
Benge stressed that because ransomware attacks regularly make headlines, there’s a numbing effect that causes organizations to think of ransomware as inevitable. Because of this, corporations are not incentivized to invest time or resources or hire people that have the expertise to build better protections, Benge said.
Make the effort; it will pay off
For organizations that are ready to invest in proactive ransomware defense, it’s essential for their security teams to consider becoming more flexible when hiring new talent to tackle the problem, Benge said. By amending hiring qualifications and supporting nonprofit efforts to get more talent into cybersecurity, organizations will be making important strides to combat ransomware in 2025, she said.
“I’m hopeful, because there’s going to be this much greater pool of talent to pull from for these types of roles, and I’m hopeful that organizations will also start to change hiring policies to lessen the restrictions on more traditional qualifications.”
–Ashlee Benge
