2025 Security Predictions: Top Ransomware Groups to Watch in a Post-LockBit Threat Landscape

Despite over 20 global law-enforcement actions targeting ransomware operations this year–including three that crippled the once-dominant LockBit group–2024 is on track to be another record-breaking year for cyber extortion.

Numerous metrics support this outlook. First, ransomware payment flows already notched an unprecedented $459.8 million at the mid-year mark, a $10 million increase from the same period in 2023, according to blockchain intelligence firm Chainalysis. Secondly, the median ransomware payment has skyrocketed from $198,939 in early 2023 to $1.5 million by mid-2024, according to Chainalysis data.

Regarding the meteoric rise in average extortion payouts, Chainalysis said this trend suggests that leading ransom “strains are prioritizing targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms.” The targeting activity Chainalysis is describing is more commonly referred to as cyber big game hunting (BGH).

The third data point illustrating the historic nature of 2024 ransomware activity is that this is the first year in history where global industry has suffered four eight-figure ransom payments in the same 12-month span. This BGH crime spree includes the astonishing $75 million payout strongarmed by the Dark Angels Team in February. Granted, the Dark Angeles payout and the three other eight-figure rips are statistical outliers that may have an otherwise distortive impact on the group payment average for the majority of cyber-extortion victims.

Nevertheless, with LockBit on the ropes, and with its threat-actor peer-equal ALPHV (BlackCat) disbanded, fragmented, and reorganized under different ransomware-as-a-service (RaaS) banners, defenders remain on high alert. As 2024 comes to a close, one key question many security practitioners are pondering is which threat actors will step up to the plate in 2025 and fill the void left by the apex cyber predators of yesteryear?

Answering this question has been complicated by a dramatic political transition in the U.S. following the 2024 General Election in November and rapidly escalating military conflicts in Eastern Europe and the Middle East. Probing how prevailing law enforcement interventions and geopolitical factors will shape the threat actor leaderboard in 2025, ExtraHop consulted three leading cyber intelligence experts to refine its RaaS royalty forecast for the upcoming year:

Analyst1 Chief Security Strategist Jon DiMaggio

Halcyon Director of Research Anthony Freed

RedSense Chief Research Officer Yelisey Boguslavskiy.

Here’s what they said.

DiMaggio’s Outlook

Looking out into 2025, Jon DiMaggio, a National Security Agency veteran and human intelligence (HUMINT) expert who shot to fame for his Donnie Brasco-style infiltration of the LockBit RaaS syndicate in support of the Cronos takedown, said that RansomHub and Cicada3301 will be “key ransomware groups to watch” next year.

DiMaggio noted that both groups launched their RaaS operations in 2024, successfully recruiting several experienced, high-level affiliate teams to support their extortion efforts. “Notably, both groups have ties to BlackCat/ALPHV, with overlapping human affiliates and code similarities in their ransomware payloads,” DiMaggio said.

DiMaggio explained that the individuals behind these RaaS operations are “seasoned players in the ransomware world with strong ties to the Russian criminal community.” He also noted that RansomHub attracted many BlackCat affiliates after the group disbanded earlier this year. To recap their high-profile dissolution, BlackCat allegedly ripped off ‘Notchy,’ the affiliate who breached Change Healthcare, stiffing him on the $22 million ransom he extracted from the medical billing firm just before the gang shut down their operation and listed their source code for sale for a cool $5 million USD.

As of November 16, 2024, RansomHub had claimed the second-most cyber extortion victims in 2024, listing 434 organizations on their data-leak site (DLS), according to ransomware tracker DarkFeed. This figure is second only to LockBit, which claimed 545 victims this year, and which is a shell of what the threat group used to be. Additionally, many members of the cloud-savvy Scattered Spider collective have been observed using the RansomHub strain, despite grumblings about the quality of the locker by members of the cyber underground.

Notably, RansomHub has also recently been observed weaponizing a sophisticated endpoint detection and response (EDR) bypass tool called EDRKillShifter. According to TrendMicro, “EDRKillShifter is designed to exploit vulnerable drivers, undermining the effectiveness of EDR solutions by employing techniques to evade detection and disrupt security monitoring processes.”

Additionally, TrendMicro said that “EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned.” This malicious bypass kit “dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools,” according to TrendMicro.

Meanwhile, DiMaggio said that Cicada3301 “seems to have recruited the former LockBit and BlackMatter (later rebranded as BlackCat) ransomware developer to support their criminal enterprise.” Notably, Cicada3301 appears to take its name from a famous online riddle that captured the attention of Internet sleuths worldwide after being posted on the 4Chan forum in 2012.

Regarding Cicada3301’s malware design, researchers from IBM X-Force threat intelligence noted that this variant, like BlackCat’s, is written in Rust. When it comes to malware coding, the primary advantage of operationalizing a relatively newer codebase like Rust over legacy programming languages like C or C++ is the former’s enhanced ability to evade the “static analysis of most malware detection systems,” according to Security Intelligence.

By leveraging a malware codebase that isn't as widely used as C++, threat actors can better evade discovery by the static signatures used by endpoint detection and response (EDR) and antivirus (AV) solutions to match previously indexed indicators of malicious activity. Additionally, Rust is hardcoded with robust built-in security controls, which makes reverse engineering malware variants written in this language much more difficult for threat hunters.

Furthermore, Cicada3301 malware, like BlackCat’s, “features a well-defined parameter configuration interface, registers a vector exception handler and employs similar methods for shadow copy deletion and tampering,” according to a report authored by security firm Morphisec. These attributes make the Cicada3301 variant more customizable, less susceptible to detection and operational disruption by security controls, and more insidious in terms of disarming any victim data restoration schemes that may be enabled by shadow copies, respectively.

For now, Cicada3301 appears to be eschewing the BGH trend highlighted by Chainalysis and instead focusing on low-hanging fruit like small and medium-sized businesses (SMBs). But given the group’s elite RaaS operator heritage, DiMaggio believes Cicada3301 will become significantly more ambitious in 2025. The group’s preferred initial compromise vector “appears to be through Remote Desktop Protocol (RDP), likely using stolen credentials or crackable passwords,” according to IBM X-Force research.

Overall, DiMaggio said that RansomHub and Cicada3301 “pose a significant threat due to their robust funding—likely from previous criminal activities—their support from experienced criminals, and their deep-rooted position within the ransomware ecosystem.”

Regarding the tactics, techniques, and procedures that DiMaggio expects to see operationalized more frequently next year, he said he anticipates that “more ransomware gangs will abandon the tactic of encrypting victim data.” He continues, “While this approach won't disappear entirely, it will decrease as threat actors realize it consumes time and resources to encrypt the victim's environment and gives defenders a greater opportunity to detect the activity.”

“Instead, we'll likely see an increase in breaches resulting in data theft and extortion alone.” DiMaggio said. Notably, this was precisely the type of adversarial tradecraft operationalized by the Cl0P ransomware group in 2023 when they staged their blockbuster supply-chain attack on Progress Software’s MOVEit managed file transfer application. When analyzing the thousands of organizations impacted by this hack, experts speculated that Cl0P was bound to net a combined total somewhere in the neighborhood of $100 million from all MOVEit victims that paid a ransom.

Halcyon’s Predictions

The Halcyon Ransomware Malicious Quartile report highlights significant attack activity and TTP evolution attributed to the leading threat actors. In the most recent Q3-2024 report, Halcyon Director of Research Anthony Freed has identified the most prolific operators in the ransomware and data extortion space as currently being Play, RansomHub, 8Base, Qilin, BlackSuit, and Hunters International. Notably, a recent report by Eurasia-focused cyber threat intelligence firm Paranoid Lab projected that 8Base and RansomHub would emerge as the greatest threat to European organizations in 2025.

Additionally, an August 2024 report authored by the Cybersecurity & Infrastructure Security Agency said that the BlackSuit threat group have “demanded over $500 million USD in total” from their victims since the group’s inception in 2023.

Looking out into 2025, Halcyon’s Anthony Freed anticipates that Sarcoma, Fog, KillSec, and Meow will be the top emerging threat groups to watch. Sarcoma may be the most nascent threat group on the horizon, having emerged in October 2024. Most recently, Sarcoma made headlines for their breach of an Australian logistics company, but they seem to “have gotten away with little in the way of digital loot,” according to news reports.

Freed noted that Fog RaaS first emerged in 2021 and is a variant of the STOP/DJVU family. This group has become a prominent threat with its file encryption and ransom demands in Bitcoin. “Initially focused on smaller organizations, Fog has expanded to more lucrative and high-profile targets, including critical infrastructure and financial sectors,” Freed said. Additionally, Freed said that Fog “typically gains initial access via compromised VPN credentials or unpatched systems, exploiting vulnerabilities across sectors from finance to utilities.”

Unlike most of its ransomware peers, KillSec initially emerged as a hacktivist group “tied to the Anonymous movement,” Freed said. The group officially launched a RaaS platform in June 2024. “Previously focused on government website defacements, particularly in India, KillSec’s pivot represents a broader shift among hacktivist groups incorporating criminal tactics.” The group is targeting sectors like finance, healthcare, and government across the U.S., Southeast Asia, the Middle East, and elsewhere.

The last RaaS organization spotlighted by Halcyon as one to watch in 2025 is Meow. First identified in 2022, Meow has “resurfaced as an aggressive threat in 2024, after a brief disappearance following March 2023,” according to Freed. Freed also noted that the group is associated with the Conti v2 ransomware variant, and that they have “become notorious for targeting industries in the United States with highly sensitive data, such as healthcare and medical research.”

Freed advised that the top-three TTPs that RaaS groups will operationalize in 2025 include social engineering–particularly those attacks facilitated by Scattered Spider-styled sim swapping scams–exploiting unpatched vulnerabilities in publicly exposed web applications, and brute-forcing remote access services like RDPs and VPNs.

Bohuslavskiy’s Forecast

Based on 2024 ransomware performance metrics, RedSense’s Chief Research Officer Yelisey Bohuslavskiy told ExtraHop that the top groups to watch next year are Dark Angels, Cl0P, and possibly BlackBasta. But Bohuslavskiy noted that “there are additional clusters, though, which are not necessarily one group but that present a joint threat due to close internal cooperation.”

The first cluster, said Bohuslavskiy, is Akira-BlackSuit-Play-INC-Zeon. “The second one is on the opposite, very segmental, and comprises all the individual actors using LockBit derivatives,” Bohuslavskiy said. Notably, in our recent AI supply chain attack predictions report, ExtraHop highlighted the rising ransomware collective NullBulge weaponizing the leaked LockBit Black builder.

Bohuslavskiy’s mention of Cl0P is also noteworthy given the November 2024 leak of a blue-chip technology firm’s employee data on Breach Forums. ‘Nam3L3ss’, the threat-actor who posted the announcement, attributed this leak to the 2023 MOVEit supply chain attack, which impacted 2,773 organizations worldwide.

More alarming, Nam3L3ss’ posting history since November 8, 2024 reveals that they have published over a dozen corporate employee data leaks on Breach Forums that purportedly link back to the MOVEit hack as the source of stolen records. These organizations include technology companies, financial services firms, major pension plans, and other current and former customers of MOVEit managed file transfer services.

In the context of Bohuslavskiy’s Cl0P prediction, this recent dark web activity is significant because it could be indicative of the group covertly using the Nam3L3ss account to promote its brand and recapture security practitioner mindshare (possibly in preparation for a major attack announcement or campaign). The Nam3L3ss account was just registered on Breach Forums in April 2024, and its most visible activity to date is leaking MOVEit-related data. Thus, questions about this threat actor’s potential links to the notorious ransomware group are inevitable.

Regarding attacker TTPs that Bohuslavskiy anticipates seeing most often in 2025, he said that “killchain after initial access remains extremely conservative and is centered around targeting active directories and simple mapping and consequent exfiltration.” Notably, this outlook aligns with a recent prediction from ExtraHop on the continued targeting of Active Directory by ransomware actors in 2025.

As for sector-specific RaaS trends that he expects to see next year, Bohuslavskiy said that after 2024, it is “abundantly clear that elite ransomware operators are precision-targeting the healthcare sector,” which he described as an unprecedented development in the history of ransomware campaigns. While the healthcare sector has always been in the general crosshairs of ransomware groups, “there has never been such a persistent and sustained barrage of healthcare-focused attacks the way we have seen this year,” Bohuslavskiy said.

Bohuslavskiy also said he has seen evidence, which has not been publicly announced on ransomware data leak sites, suggesting aggressive targeting of Western military-industrial complex organizations. “Because the entities in this sector typically pay the ransom, they never appear on the shame blogs,” said Bohuslavskiy.

ExtraHop Predicts Top Three Threat Actors to Watch in 2025

Synthesizing the forecasts of the cyber intelligence experts who volunteered their insights and combining these perspectives with our proprietary research, ExtraHop anticipates that RansomHub, 8BASE, and Cl0P will be the top three threat groups to watch this year.

Key industry events that have disrupted and reshaped the ransomware landscape are the crippling of LockBit by international law enforcement, the disbandment of ALPHV, and official accusations of high-level links between LockBit and the notorious Russo-Ukrainian Evil Corp cybercrime syndicate made by the UK’s National Crime Agency.

On this note, DiMaggio noted that the “LockBit ransomware operation will diminish. With indictments and sanctions imposed in 2024, the group is having a much more difficult time obtaining ransom payments due to sanction restrictions preventing victims in the United States from paying the gang.” Consequently, DiMaggio said LockBit will “become irrelevant and likely disband.”

Still, cybercriminal diaspora movements catalyzed by the LockBit takedown and ALPHV’s dissolution have most prominently favored the rise of RansomHub. RansomHub’s use of hyper-adaptive and persistent EDR evasion tools like EDRKillShifter is particularly alarming.

The ease with which next-generation EDR bypass tools can disarm endpoint security controls further illustrates why network detection and response (NDR) deployments have become essential for enterprise security frameworks. While sophisticated threat actors can disable EDR applications and tamper with security logs, network packet data offers defenders an unalterable source of truth that cannot be evaded or deactivated.

8BASE is another threat group to watch in 2025. After a short hiatus, the group aggressively reemerged in October 2024, announcing 13 new victims on their data leak site. The most notable victim recently claimed by the group was a major German auto manufacturer.

8BASE “uses a branch of the notorious Phobos ransomware that made millions from a string of government and critical infrastructure companies,” according to The Register. Of the 25 new RaaS operations that emerged in 2023, 8BASE, along with Akira, were two of the standout ransomware “performers” flagged by Palo Alto Networks Unit 42 threat intelligence team.

Finally, given the unencrypted, data-exfiltration-focused TTPs envisioned by DiMaggio to take flight next year, Bohuslavskiy’s top threat-actor forecast, and recent MOVEit-related data leaks published on Breach Forums, ExtraHop assesses that Cl0P is setting the stage for a big comeback in 2025.

As a new crop of elite ransomware operators fine-tune their attack chains with next-generation EDR killers and enact established methods for exploiting hard-to-secure Active Directory environments, organizations need to weaponize network telemetry against threat actors. While preventing initial access may be near-impossible, the RevealX™ NDR platform can help defenders identify Active Directory abuse and cloud workload attack signals in their earliest stages.

Regarding the former attack vector, RevealX provides real-time detection coverage for at least 55 critical Active Directory attack typologies, including post-exploitation Kerberoasting techniques favored by sophisticated BGH ransomware threat actors like BlackSuit. Additionally, high-performance NDR tooling can help overcome the visibility and detection gaps inherent to EDR tools and Security incident and event management (SIEM) logs.

Furthermore, with DiMaggio forecasting that ransomware actors will eschew the deployment of encryption lockers next year, elite adversaries will emit fewer threat signals for security systems to detect before they seize valuable, extortion-worthy data. As elite threat actors employ stealthier TTPs to evade discovery, harnessing the full power of network telemetry arms defenders with tactical parity against adversaries, enabling them to detect cyberattacks in their most nascent stages.

Weaponizing real-time, full packet capture (PCAP) network data analysis and comprehensive protocol decryption empower security and operations center (SOC) teams to rapidly identify malicious activity and instantly intervene in threat-actor attack chains. This way, defenders can prevent RDP or VPN credential compromise-based breaches and malign privilege escalation attempts from metastasizing into catastrophic system takeovers and bulge-bracket ransom payouts.

As a new hierarchy of RaaS apex predators emerges from the ruins of LockBit’s and BlackCat’s fractured operations, a modern NDR tool like RevealX has become essential to stop emerging BGH adversaries from seizing root access in breached networks. RevealX empowers defenders with full-spectrum visibility of prevailing post-exploitation techniques targeting Active Directory and cloud workloads in real-time, enabling them to disrupt ransomware attack chains with unparalleled velocity.