Ransomware is the most lucrative and successful method devised for monetizing illegal access to computers, and the recently released 2025 ThreatDown State of Malware report reveals that 2024 was the worst year ever for big game ransomware.

In 2024, the number of known attacks increased 13% year-over-year, the largest ever ransomware payment was made when an unknown victim paid $75 million into a crypto-wallet owned by the Dark Angels group, and November 2024 saw the highest number of known attacks ThreatDown analysts have ever recorded.

The increase occurred despite a significant shift in the nature of the groups carrying out ransomware attacks.

Historically, big game ransomware has been the preserve of a few large criminal gangs, with a handful of groups playing a dominant role in the ecosystem. For example, in February 2023, 83% of known ransomware attacks were carried out by the ten most active groups. Among them, LockBit was the 800lb gorilla in the room, accounting for a huge proportion of all attacks.

However, in 2024, LockBit was hobbled by Operation Cronos, a global law enforcement action that permanently damaged the group, and its perennial bridesmaid, ALPHV, quit

The dramatic decline of the top two groups seems to have accelerated an existing trend that saw smaller groups taking on greater importance in the ecosystem. By October 2024, the top ten gangs accounted for just 37% of known attacks, with the bulk attributable to smaller, less well known “dark horse” gangs.

It appears that over time the tools and tactics for carrying out ransomware attacks have become more widely known and the barrier to entry for smaller groups has been lowered.

This “democratization” of ransomware is unwelcome news. Intelligence suggests that there are many more potential targets for ransomware than attacks. A lower barrier to entry makes ransomware an option for more criminal gangs, will fuel an increase in attacks, and could spur innovation and experimentation in the tactics that are used.

To learn more about how ransomware tactics have changed, which industries ransomware groups are targeting, which group has emerged as the pretender to LockBit’s crown as the most destructive ransomware group, and how ransomware groups are making themselves harder to detect, read the 2025 ThreatDown State of Malware report.