Written by: Ekrem Çelik, Cybersecurity Researcher

Welcome to the December 2024 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.

The Black Kite Research & Intelligence Team (BRITE) tracked 535 ransomware incidents in December 2024. While it didn’t surpass the record-breaking 595 victims in November, December still proved to be a significant month. Of these incidents, an overwhelming 244 were in the United States and 27 in Canada, highlighting North America’s ongoing struggle as a primary target for ransomware attacks.

Top Threat Actors in December 2024

1. FunkSec Emerges as a Major Player with 87 Victims

December marked a turning point in the ransomware landscape as FunkSec dethroned RansomHub to become the leading threat actor with 87 victims. What makes FunkSec’s rise particularly remarkable is that it is a relatively new group in the ecosystem. Their operations have not been limited to ransomware; the group has been actively selling admin access and super access for various companies, offering a troubling range of services to their buyers. FunkSec primarily targeted the information sector and public administration industries this month, demonstrating a calculated focus on critical and data-heavy sectors. Their rapid ascent highlights their aggressive strategies and growing influence in the ransomware ecosystem.

2. RansomHub Maintains Stability with 57 Victims

After dominating the leaderboard since July, RansomHub dropped to the second spot with 57 victims in December. Despite losing its leadership position, RansomHub maintained its reputation as a consistent player in the ransomware space, continuing to target high-value organizations globally.

Akira Surges with 46 Victims

The Akira group surged to the third position this month with 46 victims, showcasing one of its most active and aggressive months of the year. Akira’s operations this month highlighted their ability to capitalize on vulnerabilities and expand their victim pool, signaling their intent to climb higher in the ransomware hierarchy.

They Hate Being Forgotten: Clop (Cl0p) Is Back Again

The Clop group added a chaotic twist to the month. Exploiting the CLEO vulnerability in December, they initially promised to release victim data “within 48 hours.” Then they postponed to December 30, only to announce they were “taking a holiday break” and would publish data after their return.

In total, Clop announced 66 victims, but BRITE believes the actual number is higher. Their erratic behavior has left many wondering if the group is losing its grip or simply playing for attention. Regardless, Clop’s actions remind us of the unpredictable nature of threat actors and the challenges of staying ahead of them.

One thing is clear: Clop, despite its chaotic actions, refuses to be forgotten and remains a noteworthy player in the ransomware ecosystem.

LockBit 4.0 Introduces RaaS Pricing Model for Just $777

LockBit, once the industry leader, seems to be struggling to reclaim its former prominence. December saw the launch of LockBit 4.0, a move that many interpreted as an attempt to stay relevant. Along with this update, the group introduced a Ransomware-as-a-Service (RaaS) pricing model for just $777, making their tools accessible to smaller players in the ecosystem.

This shift has raised eyebrows across the cybersecurity world. Is it a sign of innovation or desperation? Many believe this move reflects LockBit’s declining influence after facing increased law enforcement pressure and internal challenges.

What stands out most is that LockBit’s struggles highlight a harsh reality: nothing in the ransomware world is unbreakable. Even the strongest groups can fall, showing how unpredictable and tough this space can be.

At the same time, their collapse shows how much it affects the whole ecosystem. It’s also a reminder of how hard it is to keep a group running steadily and stay on top in such a challenging environment.

RaaS Revolutionized Cybercrime in December 2024

The rise of Ransomware-as-a-Service (RaaS) has been one of the defining trends of December.

• LockBit’s pricing model set off a ripple effect, inspiring other groups like FunkSec to adopt similar strategies.
• Smaller threat actors are now able to access sophisticated ransomware tools at lower costs, democratizing cybercrime and complicating defense efforts.

RaaS not only increases the number of attacks but also lowers the barrier for entry, making it easier for less experienced actors to enter the game. This trend, if it continues, could make 2025 an even more challenging year for cybersecurity professionals.

2024: A Record-Breaking Year for Ransomware

2024 was a record-breaking year for ransomware. As groups continue to grow, tactics evolve, and victims are added to the lists, we can expect more records to be set in the coming months.

At Black Kite, the BRITE team remains committed to tracking threat actors in real time, analyzing their movements, and staying aware of emerging threats. As we enter 2025, staying one step ahead has never been more critical.For weekly updates on emerging cyber threats, please follow our Focus Friday blog series and LinkedIn account.

The post Ransomware Review December 2024: FunkSec’s Meteoric Rise and the Growing Threat of RaaS appeared first on Black Kite.

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations. "Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat

Burnout seems certain as CISOs confront budget constraints, a heavy workload and job dissatisfaction.

Security leaders are making inroads with corporate boards and now have a seat at the table with CEOs, a Splunk report shows.

An international law enforcement operation has dismantled the domains associated with various online platforms linked to cybercrime such as Cracked, Nulled, Sellix, and StarkRDP. The effort has targeted the following domains - www.cracked.io www.nulled.to www.mysellix.io www.sellix.io www.starkrdp.io Visitors to these websites are now greeted by a seizure banner that says they were confiscated

Cybersecurity researchers have disclosed a critical security flaw in the Lightning AI Studio development platform that, if successfully exploited, could allow for remote code execution. The vulnerability, rated a CVSS score of 9.4, enables "attackers to potentially execute arbitrary commands with root privileges" by exploiting a hidden URL parameter, application security firm Noma said in a

The job of a SOC analyst has never been easy. Faced with an overwhelming flood of daily alerts, analysts (and sometimes IT teams who are doubling as SecOps) must try and triage thousands of security alerts—often false positives—just to identify a handful of real threats. This relentless, 24/7 work leads to alert fatigue, desensitization, and increased risk of missing critical security incidents.

Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data. The ClickHouse database "allows full control over database operations, including the ability to access internal data," Wiz security researcher Gal

Three security flaws have been disclosed in the open-source PHP package Voyager that could be exploited by an attacker to achieve one-click remote code execution on affected instances. "When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server," Sonar researcher Yaniv Nizry said in a write-up published earlier this week. The

A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks. The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor

Telemedicine software has become a game changer in the field of healthcare as it revolutionises the process of patient and provider interaction.

Due to the high demand of telehealth solutions, many companies are coming up with better, effective and secure software that suits the needs of the present medical field.

This article highlights the leading telemedicine software development firms in 2025, demonstrating their skills and offerings.

Researchers say the manufacturer has yet to publicly disclose or patch the flaw.

Unpredictable cloud bills, outdated software licenses and shadow IT frustrate FinOps efforts, according to Apptio.

The company last week confirmed attackers are actively exploiting a critical vulnerability in the devices. 

When malicious hackers exploit vulnerabilities in firewalls, VPNs and routers, it’s not the vendors that get hit — it’s their customers.

The consumer goods company built an in-house solution to keep orders moving as its transportation management system provider navigated a ransomware attack.

The new estimate nearly doubles the company’s previous report of 100 million affected individuals, already the largest healthcare data breach ever reported to federal regulators.

Today’s hyper-connected world demands robust cybersecurity measures. With data breaches and cyber attacks making headlines every day, organisations must stay vigilant against ever-evolving threats. Proactive protection is no longer optional; it’s essential for business continuity.

Email marketing is now a key element of business communication, providing an effective way to engage with audiences and support growth. However, as businesses increasingly depend on email marketing platforms, these tools have become prime targets for cyber attacks.

With threats like phishing and data breaches growing more advanced, strict cybersecurity measures are more important than ever today. To protect the integrity of email marketing campaigns, businesses must not only understand these risks but also implement strong security practices to stay ahead of potential threats.

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's

Curious about the buzz around AI in cybersecurity? Wonder if it's just a shiny new toy in the tech world or a serious game changer? Let's unpack this together in a not-to-be-missed webinar that goes beyond the hype to explore the real impact of AI on cybersecurity. Join Ravid Circus, a seasoned pro in cybersecurity and AI, as we peel back the layers of AI in cybersecurity through a revealing

A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome. The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. Recently, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure that nearly doubles the previously disclosed total.  This breach shows just how deeply ransomware

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0. "Due to a flaw in the multi-line SNMP result parser, authenticated users can inject

The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE. "This research focuses on completing the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on Central Asia,