Searchlight Cyber Report Shows 38% YoY Increase in Active Dark Web Ransomware Groups

New entrants dominate this year’s top five most prolific ransomware groups

Searchlight Cyber Report Shows 38% YoY Increase in Active Dark Web Ransomware Groups

George Webb
Brands2Life
searchlightcyber@brands2life.com

Searchlight Cyber, the Continuous Threat Exposure Management company, has released its annual report on ransomware trends from the dark web, “Same Game, New Players: Ransomware in 2025”. This year’s report tracks disruption to the “key players” in the ransomware landscape, an uptick in new ransomware groups operating on the dark web, and an increase in listed ransomware victims.

Key findings of the report include:

A total of 94 ransomware groups listed victims in 2024 (a 38 percent increase on 2023) with 49 new groups observed, reflecting further complexity in the ransomware landscape.
There was an 11 percent increase in the number of total victims posted on ransomware leak sites in 2024 (5,728) compared to 2023 (5,081).
RansomHub has replaced LockBit as #1 ransomware group, after the law enforcement disruption of Operation Cronos halved LockBit’s victim output last year.

The five most prolific ransomware groups of 2024 were RansomHub, LockBit, Play, Akira and Hunters International, which represents a major change in the ransomware landscape. Of those five, only LockBit has been active for more than three years and RansomHub - the most prolific group of the year - only emerged in February 2024. Meanwhile, major groups such as BlackCat and Cl0p (ranked second and third respectively in 2023) dropped out of the rankings.

The report contains profiles of each of the top five ransomware groups and analysis of the change to the ransomware hierarchy that has taken place over the past 12 months. RansomHub, for example, may be a new ransomware “brand” but - in actual fact - has ties to other groups including Knight, BlackCat, and LockBit. This pedigree, combined with its “affiliate friendly” Ransomware-as-a-Service (RaaS) model, may explain how it has so quickly risen to prominence.

Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, commented: “The major takeaway from this report is that we enter 2025 with a busier and more complex ransomware ecosystem. While we have observed disruption to some of the biggest ransomware groups, there has been an influx in smaller players, which creates challenges for security teams that are constantly trying to assess and prepare for emerging threats.

“In this increasingly busy landscape, it becomes even more vital for organizations to actively apply threat intelligence to inform their defenses. Firstly, to identify commonalities in how these groups operate and prepare for the most common attack techniques. Secondly, to help them narrow down their adversaries to the four or five groups they are most likely to face, based on their activity and victimology.”

Click here to download the full report: Same Game, New Players: Ransomware in 2025

About Searchlight Cyber

Searchlight Cyber provides organizations with relevant and actionable threat intelligence, to help them identify and prevent criminal activity. Originally founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. The company has expanded and evolved, adding external threat management capabilities to create a Continuous Threat Exposure Management platform for organizations. Today we help government and law enforcement, enterprises, and managed security services providers around the world to identify threats and prevent attacks.