GRIT’s 2025 Report: Ransomware Group Dynamics and Case Studies
Ransomware threats continue evolving, with the most successful groups refining their tactics to maximize impact over the last year. Understanding the operational dynamics of these groups is critical for defenders aiming to stay ahead of threats. Organizations can better anticipate attacks and implement proactive defenses by analyzing their techniques, tactics, and procedures (TTPs). In this blog, we examine the rise of RansomHub, the shifting strategy of LockBit, and the focused operations of Play. We’ll also look at the case studies of Qilin and BlackSuit to extract valuable lessons for security teams.
Group Highlights:
RansomHub
RansomHub has rapidly expanded its footprint in 2024, capitalizing on affiliate-driven attacks. Unlike more traditional ransomware-as-a-service (RaaS) operations, RansomHub has focused on targeted campaigns against high-value organizations. Their increasing operational tempo suggests a well-funded and coordinated effort, leveraging initial access brokers (IABs) to penetrate environments efficiently.
LockBit
LockBit entered 2024 as one of the most dominant ransomware groups, known for its adaptability. However, international sanctions and coordinated law enforcement efforts have significantly disrupted its operations. While early in the year, the group demonstrated resilience, later months saw a decline in affiliates and infrastructure disruptions that weakened its reach. This showcases how external pressures can limit ransomware proliferation.
Play
Unlike some high-profile groups, Play has maintained a consistent yet relatively low-profile operational strategy. Play has remained effective by focusing on specific industries and leveraging stealthy attack techniques while avoiding the spotlight. Their campaigns emphasize the importance of monitoring emerging threats that may not generate as much mainstream visibility but still pose significant risks.
Case Studies:
Qilin
Qilin has demonstrated a sophisticated approach to evading detection, leveraging advanced obfuscation techniques and modular payloads. Security teams tracking Qilin’s activities have observed an emphasis on stealth, making detection more challenging. The key takeaway is the necessity of robust endpoint detection and response (EDR) solutions combined with proactive threat hunting.
BlackSuit
BlackSuit has expanded its operations, moving beyond traditional ransomware tactics to incorporate extortion-based models. By exfiltrating sensitive data before encryption, they pressure victims into compliance, making data recovery alone an insufficient defense. Organizations must prioritize data security strategies that include robust backup solutions and encryption.
Lessons Learned:
Trends in Ransomware Operations:
The rapid evolution of the ransomware landscape underscores the importance of understanding group dynamics and adapting defenses accordingly.
Tailored Defenses Against Post-Compromise Tactics:
Since ransomware actors frequently leverage compromised credentials, multi-layered defenses, including MFA and lateral movement detection, are critical in mitigating risk.
Tracking ransomware groups is essential for strengthening organizational security. By analyzing the strategies of RansomHub, LockBit, and Play, security teams can better prepare for evolving threats. Case studies like Qilin and BlackSuit highlight the necessity of advanced detection and response strategies.
Our team uses various tools and services to effectively track and analyze ransomware threats. Below are the key resources we rely on – all are excellent:
Ransomware Monitoring and Open-Source Resources:
- RansomLook – Great open-source intelligence page for ransomware groups, data leak sites, and claimed victims
- Ransomware.Live – Similar to RansomLook, with added leaked ransom chats and enrichments.
- Ransomchats – Collection of leaked ransomware negotiation chats (also accessible via Ransomware.Live).
Deep and Dark Web Research:
- Authentic8 Silo Platform – Misattributable browser allowing secure access to adversary infrastructure.
Ransomware Binary Analysis, Ransom Note Comparison, and Attribution:
- VirusTotal – Binary hunting, telemetry information, and community notations.
- ID Ransomware – Compares ransom notes for attribution.
Deep Dive Ransomware Threat Intelligence:
- Recorded Future – Searchable threat intelligence for incident response and CTI, with insights from the Insikt Group, who also publish great big-picture trends analysis.
- Team Cymru Pure Signal Scout and Pure Signal Recon – Unique network telemetry intelligence for identifying adversary infrastructure.
- Cyware Threat Intelligence Platform – “Single-source-of-truth” internally for IOCs and investigation/analysis.
In particular, we would like to call out Recorded Future, Authentic8, Team Cymru, and Cyware from this list, and recommend you spend some time on with their resources.
To get more insights and defensive strategies, download the full report here.