{ "id": "9e8b0f86-e988-4466-8028-15618e229b31", "created_at": "2026-04-06T00:10:42.6401Z", "updated_at": "2026-04-10T03:34:59.505021Z", "deleted_at": null, "sha1_hash": "dc939abe2f513d9d630801fdeb97176826850dd0", "title": "Ransomware Review: First Half of 2024", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2213231, "plain_text": "Ransomware Review: First Half of 2024\r\nBy Amanda Tanner, Kristopher Bleich\r\nPublished: 2024-08-09 · Archived: 2026-04-05 17:05:16 UTC\r\nExecutive Summary\r\nUnit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed\r\ncompromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This\r\naverages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose\r\nleak sites we monitored, six of the groups accounted for more than half of the compromises observed.\r\nIn February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So\r\nfar, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The\r\nhigher level of activity observed in 2023 was no fluke.\r\nActivity from groups like Ambitious Scorpius (distributors of BlackCat) and Flighty Scorpius (distributors of\r\nLockBit) has largely fallen off due to law enforcement operations. However, other threat groups we track such as\r\nSpoiled Scorpius (distributors of RansomHub) and Slippery Scorpius (distributors of DragonForce) have joined\r\nthe fray to fill the void.\r\nIndustries most impacted by ransomware were manufacturing (16.4% of observed posts), healthcare (9.6%) and\r\nconstruction (9.4%). Like with manufacturing, healthcare is extremely sensitive to disruptions and downtime.\r\nThe U.S. was home to the most victims by far in the first half of 2024. With 917 compromises, the US received\r\n52% of total attacks. In order of impact, the remaining top 10 nations were: Canada, the U.K., Germany, Italy,\r\nFrance, Spain, Brazil, Australia and Belgium.\r\nNewly disclosed vulnerabilities primarily drove ransomware activity as attackers moved to quickly exploit these\r\nopportunities. Threat actors regularly target vulnerabilities to access victim networks, elevate privileges and move\r\nlaterally across breached environments. We’ll list some of the most common vulnerabilities being exploited in\r\n2024.\r\nPalo Alto Networks customers are better protected from ransomware threats through our Network Security\r\nsolutions, Prisma Cloud offerings and Cortex line of products.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nRelated Unit 42\r\nResearch\r\nCybercrime, Ransomware\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 1 of 14\n\nNamed Groups\r\n(Unit 42\r\nTaxonomy)\r\nAmbitious Scorpius, Anemic Scorpius, Bashful Scorpius, Burning Scorpius, Chubby\r\nScorpius, Dark Scorpius, Drowsy Scorpius, Flighty Scorpius, Muddled Libra, Mushy\r\nScorpius, Screaming Scorpius, Shifty Scorpius, Slippery Scorpius, Spicy Scorpius,\r\nSpikey Scorpius, Spoiled Scorpius, Stumped Scorpius, Wandering Scorpius, Whiny\r\nScorpius\r\nNamed Groups \r\nAlpha, ALPHV, AvosLocker, Black Basta, BlackCat, Blackout, BreachForums, CL0P,\r\nDoNex, DragonForce, GhostSec, Hunters International, Karakurt, KelvinSecurity,\r\nLockBit, Losttrust, LukaLocker, MyData, NoEscape, Nokoyawa, Qilin, Quilong,\r\nRansomHub, Scattered Spider, SocGholish, Trisec, Volcano Demon\r\nCVEs\r\nMentioned\r\nCVE-2018-13379, CVE-2020-1472, CVE-2020-1472, CVE-2024-1708, CVE-2024-\r\n1709, CVE-2024-26169, CVE-2024-27198, CVE-2024-4577\r\nTop Industries\r\nMentioned\r\nHealthcare, Manufacturing, Construction\r\nLeak Site Trends in the First Half of 2024\r\nOur team monitors data from dedicated leak sites (DLS) that are often only accessible through the dark web.\r\nThroughout our analysis, we compare the first half of 2024 (1H24) to the first half of 2023 (1H23) so that we are\r\naccounting for any seasonal fluctuations that can occur due to annual holidays, travel seasons and other recurring\r\nevents that may impact threat activity.\r\nKey Findings:\r\n4.3% year-over-year increase in compromise announcements\r\n1H24: 1,762 compromise announcements from 53 sites – with the top six groups responsible for\r\nmore than half of the compromises\r\n1H23: 1,688 compromise announcements\r\n1H24 averaged 68 leak site posts per week\r\nRansomware announcements continue to increase, despite multiple notable law enforcement disruptions\r\nand arrests\r\nThe LockBit leak site remains the most active, posting misleading information and old data\r\nIn February, we reported a 49% YoY increase in victims posted on leak sites. Our analysis of 2024 so far\r\nshows that ransomware groups are maintaining that higher level of activity, even further increasing activity\r\nrelative to last year.\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 2 of 14\n\nFigure 1. Month-by-month comparison of ransomware leak site reports.\r\nFigure 1 shows a month-by-month breakout of the numbers, comparing each of the first six months in 2023 with\r\neach of the first six months in 2024.\r\nWe observed a notable decrease in ransomware leak site reports in June of 2024. Significant decreases in activity\r\non the LockBit and 8Base leak sites largely accounted for this drop.\r\nThreat Group Activity\r\nLeak site data indicates 53 ransomware groups have been active so far in 2024, but the top six ransomware groups\r\naccount for a little more than half of the total compromises.\r\nUnit 42 tracks threat groups using a naming system that pairs a modifier with a designated constellation per group.\r\nUnit 42 maintains a master list of the threat actor groups we track, along with common akas. More details on\r\ncybercrime groups are detailed in the below graphic.\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 3 of 14\n\nAs seen in Figure 2, four ransomware groups that were among the six most active in 2023 remained among the\r\nmost active so far this year. During the first half of 2024, Ambitious Scorpius (distributors of ALPHV/BlackCat)\r\nand Chubby Scorpius (distributors of CL0P) dropped out of the top rankings. These groups were displaced by\r\nDark Scorpius (distributors of BlackBasta) and Transforming Scorpius (distributors of Medusa).\r\nFigure 2. Comparing the top six ransomware groups from all of 2023 with the first half of 2024.\r\nThreat actors regularly target vulnerabilities to access victim networks, elevate privileges and move laterally\r\nacross breached environments. Our threat landscape has been inundated with zero-day and other serious\r\nvulnerabilities, giving threat actors a large menu to choose from. According to our most recent Unit 42 Incident\r\nResponse Report, vulnerabilities became the leading cause of initial access in our cases in 2023, overtaking other\r\ncommon methods such as phishing for the first time.\r\nThat trend continues in 2024. Below, we provide some of the more prolific vulnerabilities exploited by\r\nransomware groups in the first half of 2024. We encourage organizations to implement a robust vulnerability\r\nmanagement program that accounts for known exploited vulnerabilities, such as those included below.\r\nCVE-2018-13379 - Fortinet SSL VPN\r\nCVE-2024-1709 - ConnectWise ScreenConnect\r\nCVE-2024-1708 - ConnectWise ScreenConnect\r\nCVE-2024-27198 - TeamCity\r\nCVE-2024-4577 - PHP-CGI script engine\r\nCVE-2020-1472 - Netlogon Remote Protocol\r\nCVE-2024-26169 - Microsoft Windows Error Reporting Service\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 4 of 14\n\nLaw Enforcement Takedowns and Disruptions\r\nIn the dynamic ransomware landscape, some threat actors have quietly scaled down or completely ceased\r\noperations in the first half of 2024. However, some high-profile ransomware groups have disappeared in very\r\npublic ways.\r\nLaw enforcement activity continues to have a wide-reaching impact on the ransomware threat landscape in 2024.\r\nTakedowns of prominent ransomware groups, forums and individuals in the first half of the year have created\r\nripples throughout the criminal ecosystem.\r\nLaw enforcement highlights from the first half of 2024 include:\r\nJanuary 2024: U.S. law enforcement arrested a prominent member of Muddled Libra on charges that\r\ninclude wire fraud, identity fraud and cryptocurrency theft.\r\nFebruary 2024: Law enforcement takedown of the LockBit 3.0 Tor site disrupted its ransomware\r\noperations.\r\nMarch 2024: Affected by a December 2023 law enforcement takedown, the Ambitious Scorpius group\r\nfinalized an exit scam by selling its ALPHV/BlackCat source code and pretending the FBI seized their site\r\nand infrastructure.\r\nMay 2024: The U.K., U.S. and Australia unmasked and sanctioned the leader of Flighty Scorpius, the\r\ngroup behind LockBit ransomware.\r\nMay 2024: The group behind GhostLocker ransomware, GhostSec, announced its exit from ransomware\r\nand return to hacktivism.\r\nMay 2024: Law enforcement agencies seized control of BreachForums and a Telegram channel by\r\nBreachForums administrator nicknamed Baphomet, leading to speculation that Baphomet had been\r\narrested.\r\nJune 2024: Law enforcement arrested the leader of a cybercrime group we track as Muddled Libra (aka\r\nScattered Spider). Law enforcement agencies have identified this group as an affiliate of the\r\nALPHV/BlackCat ransomware program.\r\nJune 2024: The administrator behind the ShinyHunters handle on BreachForums retired and turned over\r\nthe site to a new administrator account named Anastasia.\r\nJuly 2024: Law enforcement arrested another leader of the Muddled Libra group.\r\nWhile infrastructure seizures by law enforcement are not new, they appear to have been more impactful than\r\nprevious takedowns. Law enforcement agencies have continued seizing infrastructure and making arrests in 2024,\r\nbut they have also started targeting organizations affiliated with these ransomware groups. These actions have\r\nimpacted ransomware groups in different ways.\r\nTakedown, Recovery and Exit Scam: Ambitious Scorpius\r\nKnown for its ALPHV/BlackCat ransomware, Ambitious Scorpius was the second-most prolific group according\r\nto our 2023 leak site data. After the FBI disrupted this group's operations in December 2023, many predicted this\r\ngroup could shut down or rebrand their creation as new ransomware.\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 5 of 14\n\nBy March 2024, Ambitious Scorpius finalized an exit scam by selling its ALPHV/BlackCat source code and\r\npretending the FBI seized their site and infrastructure.\r\nFrom Takedown to Fraudulent Claims and Possible New Group: Flighty Scorpius\r\nAfter its February 2024 law enforcement takedown, Flighty Scorpius stood up new infrastructure and began\r\ntargeting more victims with LockBit 3.0 ransomware.\r\nAfter restoring its operations, this threat actor posted dubious claims of new victims to its leak site that appeared\r\nto be old compromises, exaggerations or outright fabrications. For example, in June 2024, the group claimed to\r\nhave compromised the US Federal Reserve, but further investigation revealed it was a US-based bank.\r\nOn May 7, the National Crime Agency announced a joint international effort had unmasked the leader of Flighty\r\nScorpius and imposed various sanctions on his travel and finances. Known as LockBitSupp, the leader is alleged\r\nto be Russian national Dmitry Khoroshev. They also issued arrest warrants for additional affiliates of the group.\r\nSeizures, Arrests, Retirements and Transitions: BreachForums\r\nBreachForums, a criminal forum where threat actors buy and sell stolen data and access to compromised\r\nnetworks, has a history of name changes and takedowns. In May 2024, law enforcement seized BreachForums and\r\narrested its administrator known as Baphomet.\r\nThe site came back weeks after the May 2024 takedown under an administrator named ShinyHunters. This\r\nShinyHunters account might be related to the ShinyHunters hacking collective, a group we track as Bling Libra. In\r\nJune 2024, the user behind the BreachForums’ ShinyHunters account reportedly retired and moved the forum to a\r\nnew administrator.\r\nArrest of Affiliate's Key Member and Leaders: Muddled Libra\r\nIn January 2024, US law enforcement arrested a prominent member of Muddled Libra, named Noah Michael\r\nUrban, on charges that include wire fraud, identity fraud and cryptocurrency theft. In June 2024, a joint law\r\nenforcement effort resulted in the arrest of a 22-year-old UK citizen in Spain believed to be the leader of Muddled\r\nLibra. Law enforcement arrested another leader in July. It is too early to tell if these arrests will impact the group’s\r\ncapabilities.\r\nAn Apparent Exit From Ransomware: GhostSec\r\nIn a May 2024 interview, GhostSec announced it was ending its ransomware operations and returning to\r\nhacktivism. GhostSec will reportedly hand off its GhostLocker RaaS operations to the Stormous ransomware\r\ngroup.\r\nThis group started nearly a decade ago, with the stated aim of targeting and disrupting terrorist organizations like\r\nISIS. They developed GhostLocker RaaS in October 2023 as a means to fund their hacktivism activities.\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 6 of 14\n\nThe group had strict stipulations against targeting healthcare and education. If its ransomware hit victims in those\r\nsectors, GhostSec said it stepped in to mitigate the damage. The group's leader Sebastian Dante Alexander noted it\r\nfavored \"...higher scale corporations, which I believe — to an extent — are all greedy.\"\r\nA member of the Five Families, GhostSec previously coordinated attacks with the Stormous ransomware group,\r\nanother member of the Five Families. To exit the ransomware scene, GhostSec stated it will transfer\r\nGhostLocker's source code (version 3) and the rest of its ransomware operations to Stormous. The group stated\r\nthat its purpose for the transfer is a clean break without an exit scam. Of note, however, the claimed break\r\ninvolves handing off the ransomware used to extort victims rather than ending its use.\r\nOther Ransomware Groups\r\nChubby Scorpius, which distributes CL0P ransomware, was the third most active ransomware group in 2023, but\r\nits activity fell dramatically in 2024. As of June, this group accounts for less than 0.75% of the total posts in our\r\nleak site data.\r\nOther ransomware groups that have not been active on leak sites in 2024 are Bashful Scorpius (distributors of\r\nNokoyawa ransomware), KelvinSecurity, Losttrust, Mushy Scorpius (distributors of Karakurt), Spicy Scorpius\r\n(distributors of AvosLocker) and Stumped Scorpius (distributors of NoEscape).\r\nWhile these groups might have stopped due to the economics of a constantly evolving cybercrime market,\r\nadditional factors could have influenced these apparent departures. Recent high-profile takedowns of ransomware\r\ngroups by law enforcement and the legal pursuit of ransomware affiliates and criminal marketplaces like\r\nBreachForums could have created an air of mistrust and fear among cybercrime threat actors.\r\nNew Kids on the Block\r\nWith the departure of various ransomware threat actors, other groups have moved to fill in the void so far in 2024.\r\nHere’s a quick look at some of the emerging ransomware groups Unit 42 has been tracking in 2024 that may have\r\nhit your radar based on recent events.\r\nGroups discussed in this section include:\r\nSpoiled Scorpius (Distributors of RansomHub)\r\nSlippery Scorpius (Distributors of DragonForce)\r\nBurning Scorpius (Distributors of LukaLocker)\r\nAlpha/MyData ransomware\r\nTrisec ransomware\r\nDoNex ransomware\r\nQuilong ransomware\r\nBlackout ransomware\r\nSpoiled Scorpius (Distributors of RansomHub)\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 7 of 14\n\nSpoiled Scorpius is the name we use for the group behind RansomHub, a RaaS first announced in February 2024\r\non the Russian Anonymous Market Place (RAMP) cybercrime forum from an account named koley. This group is\r\nlargely opportunistic, but it prohibits attacks on entities in Cuba, China, North Korea and Russian territories. It\r\nalso prohibits targeting non-profit organizations. Spoiled Scorpius is known to recruit affiliates from RAMP\r\nForum and advertises a payout of 90% to affiliates with the group claiming the remaining 10%.\r\nThrough Unit 42 Incident Response engagements, we have observed a chain of events that indicates this group\r\nachieves initial victim access via SocGholish malware delivered through search engine optimization (SEO)\r\npoisoning. We assess the group behind SocGholish sold victim access from their infections to Spoiled Scorpius\r\naffiliates who deployed the ransomware. We also found evidence that Spoiled Scorpius used its access to victim\r\nsystems to delete backups from both on-premises and cloud storage.\r\nRansomHub ransomware is written in Golang and C++. Spoiled Scorpius has used distributed denial of service\r\n(DDoS) attacks or exploited vulnerabilities such as CVE-2020-1472 to breach its victims. The group also cold\r\ncalls victims to further exert pressure on them to pay the ransom.\r\nA June 2024 article states a connection between RansomHub and a previous RaaS first observed in 2023 called\r\nKnight (Cyclops). Spoiled Scorpius also appears to have links to Ambitious Scorpius.\r\nSlippery Scorpius (Distributors of DragonForce)\r\nSlippery Scorpius is our name for the group behind DragonForce ransomware. This group was first detected in\r\nNovember 2023. Slippery Scorpius gained notoriety in 2024, when this group started extorting victims directly\r\nthrough phone calls and then leaking recorded audio of the conversations.\r\nLike many ransomware groups, Slippery Scorpius performs double-extortion, using its leak site to post the stolen\r\ndata of its victims who fail to pay. Due to similarities in their code, DragonForce ransomware appears to be based\r\non the leaked source code of LockBit 3.0.\r\nSlippery Scorpius should not be confused with the Malaysian-based hacktivist group named DragonForce that\r\nfirst appeared as early as 2021. This DragonForce hacktivist group does not appear to be related to DragonForce\r\nransomware.\r\nBurning Scorpius (Distributors of LukaLocker)\r\nOriginally nicknamed Volcano Demon, the group we track as Burning Scorpius is behind new ransomware named \r\nLukaLocker. This ransomware has encrypted both Windows and Linux systems since June 2024.\r\nUnlike other ransomware groups, Burning Scorpius does not host a leak site. Instead, this group contacts\r\nexecutives and IT leadership repeatedly through phone calls with threatening messages to directly extort its\r\nvictims.\r\nOther New Groups\r\nAlpha ransomware, not to be confused with the ALPHV/BlackCat ransomware group, was active as early as May\r\n2023 and its leak site first appeared in January 2024. Since their site uses MYDATA as its title, some have used\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 8 of 14\n\nMyData as its ransomware name or threat actor identifier. The leak site is reportedly unstable and frequently\r\noffline, indicating this group is relatively new, inexperienced and loosely managed. Our leak site data reveals this\r\ngroup has reported nine victims in the first six months of 2024.\r\nThe Trisec ransomware group emerged in February 2024 and claims to be affiliated with the Tunisian government.\r\nThey specifically stated that they “only hires Tunisian blackhats,” and this group has advertised for various\r\npositions through its leak site and Telegram channel. The group claims to be both financially motivated and state-sponsored, dabbling in a variety of cybercrime. So far, its victimology appears opportunistic in both industry and\r\nregion.\r\nDoNex ransomware first appeared in March 2024 and its earliest file samples date back to February. It is a new,\r\nfinancially motivated group that has targeted victims in the US and Europe. Avast has developed a decryptor for\r\nvictims to restore their files.\r\nThe Quilong ransomware group claimed to have compromised three plastic surgery centers in Brazil earlier in\r\n2024, as well as a car dealership. The posted some of the alleged stolen data on their leak site, taunting medical\r\nproviders with claims that they had failed to protect their patients.\r\nThe Blackout ransomware group was first active in late February 2024 and initially claimed on their leak site to\r\nhave attacked healthcare entities in Canada, France and Germany. Leak site posts from this group show\r\nsubsequent attacks on a Mexico-based telecommunications company and Croatian targets in the manufacturing\r\nindustry.\r\nRebrands\r\nAfter the exit scam by Ambitious Scorpius, we are keeping an eye out for indicators that this group might be\r\nreturning by rebranding with a different name. If so, this group will need a strategy to gain back its affiliates, since\r\nmany have been recruited by other ransomware groups.\r\nLaw enforcement actions we previously mentioned against Flighty Scorpius have led to its decline in 2024.\r\nGovernment agencies took down the ransomware's infrastructure and sanctioned its alleged leader in May 2024.\r\nWe saw only seven verified compromises from its leak site in June, a dramatic drop compared to previous months.\r\nAs a way to revive its operations, this group could rebrand as new ransomware. While rebranding remains a\r\npossibility for Flighty Scorpius, the previous success of LockBit ransomware has already led other groups to\r\ncreate their own ransomware based on its codebase.\r\nFor example, new ransomware named Brain Cipher emerged in June 2024, and research has shown it is based on\r\nLockBit 3.0 code. We analyzed a Brain Cypher sample used in an attack against an Indonesian target, and our\r\nexisting LockBit 3.0 prevention and detection signatures also worked on this sample.\r\nIndustries and Regions Impacted\r\nWhile ransomware targeting remains largely opportunistic, industries like manufacturing remain highly\r\nsusceptible to these types of attacks. As in 2023, manufacturing continues to be the sector most impacted by\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 9 of 14\n\nransomware. At 289 compromises, 16.4% of all ransomware attacks during 1H24 affected manufacturing\r\norganizations.\r\nHealthcare was the second most impacted industry in 1H24, rising from sixth place in 2023. Like with\r\nmanufacturing, healthcare is very sensitive to disruptions. It is also riddled with a plethora of technologies and\r\ndevices that can be hard to catalog and protect.\r\nConstruction is the third most impacted industry in 1H24. About 9.4% of all compromises affected organizations\r\ninvolved in construction.\r\nFigure 3 shows a bar graph representing the industries most affected by ransomware attacks in the first half of\r\n2024.\r\nFigure 3. Industries affected by ransomware in the first half of 2024.\r\nUnsurprisingly, the U.S. was home to the most victims by far in the first half of 2024. With 917 compromises,\r\norganizations in the U.S. received 52% of total attacks. The remaining top 10 nations where organizations were\r\naffected, in order of impact, were Canada, the U.K., Germany, Italy, France, Spain, Brazil, Australia and Belgium.\r\nBelow, Figure 4 shows the breakdown.\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 10 of 14\n\nFigure 4. Nations where organizations were affected by ransomware in the first half of 2024.\r\nThe Data and Where It Comes From\r\nAnalysis and information for this article is primarily based on publicly reported information and data from\r\nransomware leak sites.\r\nOur team monitors data from these sites that are often accessible through the dark web. We reviewed and\r\ncompiled compromise announcements from 53 sites in the first half of 2024 to identify trends in the ransomware\r\nlandscape. We also leveraged our firsthand experience with these groups through Unit 42 Incident Response\r\nengagements to develop our understanding of their tools and techniques within victim networks.\r\nSince most ransomware groups now commonly use leak sites to pressure victims, researchers often use this data to\r\nidentify trends and levels of ransomware activity for threat actors. However, defenders and researchers should use\r\nleak site data with caution as it might not always provide an accurate picture.\r\nThreat actors will often omit victims who pay quickly from a group’s leak site. Additionally, threat actors will\r\nfrequently misrepresent the source of the data on the group’s leak site.\r\nDespite these drawbacks, this data provides valuable information on trends, newcomers and threat groups that\r\nhave disappeared from the threat landscape.\r\nConclusion\r\nThis article reviewed trends and significant events for ransomware in the first half of 2024. We reported trends\r\nfrom compromises reported by ransomware leak site posts.\r\nWhile leak site data indicates that manufacturing remained the most affected sector, healthcare jumped to second\r\nplace, with high-profile attacks grabbing headlines during the first six months of 2024. Overall, the majority of\r\norganizations impacted by ransomware were based in the U.S.\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 11 of 14\n\nEven with law enforcement's best efforts to dismantle and stamp out the most prolific ransomware threat actors,\r\nplenty of highly skilled and motivated groups are waiting, willing to step in and fill the void. The success and\r\nsubsequent explosion of ransomware in the past few years have led to an ever-increasing pool of individuals and\r\ngroups gambling for their chance at fame and fortune.\r\nPalo Alto Networks customers are better protected from ransomware threats through Network Security solutions,\r\nPrisma Cloud offerings and Cortex line of products.\r\nIn particular, our Next-Generation Firewall with Cloud-Delivered Security Services like:\r\nAdvanced URL Filtering and Advanced DNS Security can block malicious URLs and domains associated\r\nwith ransomware.\r\nAdvanced Threat Prevention can block ransomware threats at both the network and application layers,\r\nincluding port scans, buffer overflows and remote code execution.\r\nOur Cortex protections include Cortex Xpanse, which detects vulnerable services exposed directly to the internet\r\nthat might be exploitable and infected by ransomware. Through Cortex XDR and XSIAM, all known ransomware\r\nsamples are prevented by the XDR agent out of the box using the following endpoint protection modules:\r\nThe Anti-Ransomware module to prevent encryption behaviors on systems running Microsoft Windows or\r\nmacOS.\r\nThe Local Analysis module will detect ransomware binaries on Windows, macOS and Linux.\r\nXDR also includes protection capabilities like Behavioral Threat Protection (BTP) which helps prevent\r\nransomware activity on Windows, macOS and Linux.\r\nPalo Alto Networks’ Cloud Security Agent (CSA) leverages XSIAM to provide cloud based detection and\r\nmonitoring capabilities to both Cortex and Prisma Cloud cloud agents.\r\nOur cloud-based security solutions also help protect virtual machines running in cloud environments.\r\nWe frequently update machine learning models and analysis techniques in Advanced WildFire with information\r\ndiscovered from our day-to-day research on ransomware.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAdditional Resources\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 12 of 14\n\nRansomHub. Because every abandoned affiliate needs a home - Barracuda\r\nGhostLocker: The New Ransomware On The Block - Cyberint\r\nLOCKBIT Black’s Legacy: Unraveling the DragonForce Ransomware Connection - Cyble\r\nDragonForce Ransomware Group Posts Audio of Conversations with Victims - Datarecovery.com\r\nDecrypted: DoNex Ransomware and its Predecessors - Avast\r\nAssessing the Disruptions of Ransomware Gangs - Intel471\r\nFla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider -\r\nKrebs on Security\r\nExposing Alpha Ransomware: A Deep Dive into Its Operations - Netenrich\r\nRansomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day - Symantec Threat\r\nIntelligence\r\nRansomHub: New Ransomware has Origins in Older Knight - Symantec Threat Intelligence\r\nBreachForums Down, Official Telegram Channels Deleted and Database Potentially Leaked - The Cyber\r\nExpress\r\nBreachForums Returns With a New Owner After ShinyHunters Retires - The Cyber Express\r\nFBI Seizes BreachForums Again, Urges Users to Report Criminal Activity - The Hacker News\r\nU.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain - The Hacker News\r\nRoad to redemption: GhostSec's hacktivists went to the dark side. Now they want to come back. - The\r\nRecord\r\nThreat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) - Palo\r\nAlto Networks Unit 42\r\nFast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and\r\nLaw Enforcement Takedowns - Palo Alto Networks Unit 42\r\nRansomware Retrospective 2024: Unit 42 Leak Site Analysis - Palo Alto Networks Unit 42\r\nBlackCat (ALPHV) ransomware linked to BlackMatter, DarkSide gangs - Bleeping Computer\r\nBlackCat ransomware shuts down in exit scam, blames the \"feds\" - Bleeping Computer\r\nLockBit ransomware now poaching BlackCat, NoEscape affiliates - Bleeping Computer\r\nNew Hunters International ransomware possible rebrand of Hive - Bleeping Computer\r\nCybersecurity Advisory: Scattered Spider - US Cybersecurity Infrastructure Security Agency (CISA)\r\nTrisec: A New Ransomware Actor - Clipeus Intelligence\r\nLockBit’s Claimed Hack on US Federal Reserve Turns Out to Be a Publicity Stunt; Stolen Data Came\r\nFrom Just One US Bank - CPO Magazine\r\nBreachForums seized by law enforcement, admin Baphomet arrested - CSO Online\r\nTriangulating Trisec, a newly emerged ransomware gang - CyberDaily.au\r\nThe Rise and Fall of BreachForums... For Now? - DarkOwl\r\nHunters International Cyberattackers Take Over Hive Ransomware - DarkReading\r\nLeak Site BreachForums Springs Back to Life Weeks After FBI Takedown - DarkReading\r\nRansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks - DarkReading\r\nOut-of-bound Write in sslvpnd - FortiGuard Labs\r\nRansomware Roundup - KageNoHitobito and DoNex - FortiGuard Labs Threat Research\r\nGRIT Ransomware Report: February 2024 - GuidePoint Security\r\nHalcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker - Halcyon\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 13 of 14\n\nHC3: Threat Profile: Black Basta\u003c [PDF]/a\u003e - US Department of Health and Human Services\r\nHC3: Threat Profile: Qilin, aka Agenda Ransomware [PDF] - US Department of Health and Human\r\nServices\r\nUpdate: CVE-2024-4577 quickly weaponized to distribute \"TellYouThePass\" Ransomware - Impervia\r\nLockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches - Infosecurity Magazine\r\nJustice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant - US Department of Justice\r\nU.S. and U.K. Disrupt LockBit Ransomware Variant - US Department of Justice\r\nThe Looming Shadow: Ransomware Threats in the Manufacturing Sector - L2L\r\nLockBit leader unmasked and sanctioned - UK National Crime Agency (NKA)\r\nBrain Cipher Ransomware: In-Depth Analysis, Detection, and Mitigation - SentinelOne\r\nLockbit Ransomware Administrator Dmitry Yuryevich Khoroshev - US State Department\r\nCops cuff 22-year-old Brit suspected of being Scattered Spider leader - The Register\r\nUpdated August 13, 2024, at 8:40 a.m. PT to update Figure 2 image and caption.\r\nSource: https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nhttps://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/" ], "report_names": [ "unit-42-ransomware-leak-site-data-analysis" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "63f532e6-4b4a-4f17-bbff-8517f0dd1868", "created_at": "2024-01-09T02:00:04.192588Z", "updated_at": "2026-04-10T02:00:03.507424Z", "deleted_at": null, "main_name": "KelvinSecurity", "aliases": [], "source_name": "MISPGALAXY:KelvinSecurity", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c936440-1695-4b9d-88c1-32ab6df31d1b", "created_at": "2025-03-04T02:00:03.004127Z", "updated_at": "2026-04-10T02:00:03.816503Z", "deleted_at": null, "main_name": "GOLD REBELLION", "aliases": [ "WANDERING SPIDER", "White Dev 115", "Dark Scorpius" ], "source_name": "MISPGALAXY:GOLD REBELLION", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434242, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc939abe2f513d9d630801fdeb97176826850dd0.pdf", "text": "https://archive.orkl.eu/dc939abe2f513d9d630801fdeb97176826850dd0.txt", "img": "https://archive.orkl.eu/dc939abe2f513d9d630801fdeb97176826850dd0.jpg" } }