Ransomware has continued to evolve with the emergence of new and sophisticated threats. While established groups like LockBit and BlackCat still dominate a significant portion of reported attacks, new players and variants are increasingly making their presence felt.

This article looks into five notable ransomware threats that have surfaced more prominently in 2024: Hunters International, Dark Angels, RansomEXX, DragonForce, and Limpopo. We will explore technical details, tactics, and notable breaches to provide a comprehensive understanding of each threat.

Hunters International initially emerged in late 2023 as a new ransomware-as-a-service (RaaS) group, built on the foundation of the notorious Hive ransomware’s source code. While the group claims to have improved upon Hive’s encryption logic, fixing issues that sometimes prevented file decryption, they maintain that they are not simply a rebrand of Hive.

The ransomware, written in Rust, uses encryption techniques using both AES and RSA ciphers. It requires specific command-line arguments to execute, including a username and password, which adds an extra layer of control for the operators.

Hunters International’s tactics include preventing backup and recovery, terminating processes and services, and encrypting files across the victim’s system.

One of the group’s notable technical advancements is the use of AES hardware instruction sets for encryption, which includes AESKEYGENASSIST, AESIMC, AESENC, and AESENCLAST. This approach likely improves the speed and efficiency of the encryption process.

Additionally, the ransomware employs a free space eraser function, which writes random data to any remaining disk space, further complicating recovery efforts. Hunters International operates a data leak site where they list victims, categorize stolen data, and sometimes provide proof of compromise.

The Dark Angels ransomware group made headlines in early 2024 when they reportedly received a staggering $75 million ransom payment from an unnamed Fortune 50 company. This payment, if confirmed, would mark the highest known ransom ever paid, significantly surpassing the previous record of $40 million.

Dark Angels emerged around May 2022 and has since been associated with several high-profile attacks. The group is known for its data leak site called Dunghill, where they publish stolen information to pressure victims into paying. Their tactics typically involve a highly targeted approach, focusing on a single large company at a time, which contrasts with the more widespread attacks of other ransomware groups.

One of the group’s most notable alleged victims was Johnson Controls, from which Dark Angels claimed to have stolen 27 TB of data and demanded a $51 million ransom. The group’s technical capabilities appear to be significant, as they often manage to exfiltrate vast amounts of sensitive information before deploying their encryption payload.

Dark Angels’ ransomware is reportedly based on the leaked LockBit 3.0 builder code, which became available after a disgruntled LockBit affiliate released it in September 2022. This highlights a growing trend in the ransomware ecosystem, where new groups can quickly emerge by leveraging existing ransomware frameworks.

RansomEXX, first observed in 2018 but gaining prominence in 2024, is a ransomware variant known for its targeted attacks on high-profile organizations. The group operates on a RaaS model, allowing its infection chain to vary depending on the specific affiliate carrying out the attack.

RansomEXX’s technical sophistication is evident in its use of multiple malware tools for initial access and lateral movement. The group has been observed using IcedID, TrickBot, Cobalt Strike beacons, and PyXie RAT in their attacks. These tools provide a range of capabilities, from data exfiltration to credential harvesting.

One of RansomEXX’s notable tactics is its use of legitimate Windows tools and “living off the land” techniques. The group frequently leverages PsExec, PowerShell, and WMI for various stages of their attacks, making detection more challenging. Additionally, RansomEXX has been known to use post-intrusion tools like Mimikatz and LaZagne to extract credentials from target machines.

The ransomware itself employs a combination of AES and RSA encryption. Files are encrypted using AES, while the AES key is then encrypted using RSA, providing a strong encryption scheme that complicates decryption efforts without the attacker’s private key.

DragonForce is a relatively new ransomware group that gained notoriety in late 2023 and early 2024 through a series of high-profile attacks. The group employs double extortiontactics, both encrypting victims’ data and threatening to release stolen information on the dark web.

One of DragonForce’s earliest known attacks was against the Ohio Lottery in December 2023, where they claimed to have stolen over 600 GB of data, including approximately 1.5 million employee and customer records. The group has also targeted other notable organizations, including Yakult Australia (95.19 GB of data breached) and Coca-Cola in Singapore (413.92 GB).

In March 2024, DragonForce was implicated in an attack on the government of Palau, alongside the LockBit ransomware group. This incident highlighted the group’s global reach and willingness to target government entities. Interestingly, DragonForce has recently been reported to publish audio recordings of negotiations with victims on their leak site, a unique tactic aimed at increasing pressure on targets to pay.

Technically, DragonForce’s ransomware is believed to be based on the leaked LockBit 3.0 builder code, similar to Dark Angels. This commonality in malware lineage demonstrates how quickly new threats can emerge from leaked or shared source code in the cybercriminal ecosystem.

Limpopo represents a different kind of threat in the ransomware landscape. Rather than being a specific group, Limpopo is a ransomware variant designed to target VMware ESXi environments, highlighting the growing trend of ransomware attacks focusing on virtualized infrastructure.

First observed in early 2024, Limpopo is part of a family of ESXi-focused ransomware variants that includes other strains like Akgum, Aktakyr, Bulanyk, Formosa, Hatartam, Monjukly, Sakgar, and Sazanda. These variants share similar characteristics and may be related or derived from the same source.

Limpopo’s infection vector is believed to exploit vulnerabilities in VMware ESXi, Workstation, and Fusion. Specifically, it has been associated with CVE-2024-22252 and CVE-2024-22253, which were patched by VMware in March 2024. This highlights the serious importance of timely patching in virtualized environments.

The ransomware’s technical details are somewhat limited, but it’s known to drop a ransom note directing victims to communicate with the attackers via the Session messaging app. The note typically includes a unique code (in this case, “LIMPOPO”) to identify the victim.

Limpopo and its related variants represent a significant threat to organizations heavily reliant on virtualized infrastructure. The ability to target ESXi hosts potentially allows attackers to encrypt large numbers of virtual machines in a single attack, magnifying the impact and potential for disruption.

BlackFog offers a solution that uses ADX technology to stop data exfiltration. With no need for human intervention, this next-generation cybersecurity solution is made to assist organizations in defending themselves against extortion and ransomware attacks around-the-clock.

Act now to protect your most valuable assets rather than waiting for the next wave of ransomware attacks.

Find out how our products can improve your cybersecurity defenses and stop ransomware attacks.