Ransomware Threats, Led by FunkSec, Rise to New Heights
Ransomware attacks surged to a record high in December 2024, with 574 incidents reported, according to an NCC Group report.
FunkSec, a newly identified group combining hacktivism and cybercrime, accounted for over 100 attacks (18% of the total), making it the most active group that month, ahead of Cl0p, Akira and RansomHub.
The industrial sector was the top target, followed by consumer discretionary, IT, financial and healthcare sectors.
The report found more than half of the attacks were aimed at North American organizations, with Europe and Asia also significantly impacted.
Matt Hull, global head for NCC Group strategic threat intelligence, explained many factors could support this growth in attacks.
“This can range from poor organizational security measures and awareness to the use of evolving technologies to support attacks, such as Generative AI,” he said.
The use of GenAI is increasing the effectiveness of social engineering such as phishing, meaning cybercriminals are likely having more success gaining initial access using this tactic.
“Threat actors will likely have continued success using these tactics into 2025,” Hull said.
Another cause of increased ransomware numbers is the continued growth in the use of infostealer malware.
NCC Group has seen several examples of ransomware incidents where access has been gained by ransomware affiliates through stolen corporate user credentials.
Hull said by raising awareness of the developments in more sophisticated social engineering – really encouraging employees to think before they click the link so to speak – and implementing fundamental security controls such as multi-factor authentication (MFA), businesses and organizations will go a long way to reducing the threat from ransomware.
RaaS Model Proliferates
Darren Guccione, CEO and co-founder at Keeper Security, said the record-breaking rise of ransomware attacks highlights the ever-growing threat of cybercrime and the widespread adoption of ransomware-as-a-service (RaaS) models.
“Groups like FunkSec thrive by lowering the technical barrier of entry for attackers while exploiting gaps in organizational defenses,” he explained. “Strong data backups, ongoing training for employees and clear incident response plans are vital to minimizing impact and recovery time.”
Guccione added AI’s role in this landscape is both a tool for defenders and a weapon for attackers.
“AI enables faster threat detection and response, but also facilitates password cracking, malware attacks and the creation of convincing phishing scams,” he said. “It’s more critical than ever to have strong defenses in place to combat these sophisticated threats.”
Businesses, on the other hand, must also secure their own AI systems through regular audits, secure development practices and strict vetting of third-party tools.
“Combining AI-driven threat intelligence with employee education creates a robust defense, allowing organizations to stay ahead of emerging threats,” Guccione said.
Visibility, Hardening, Vigilance
Trey Ford, chief information security officer at Bugcrowd, said regardless of the ransomware actor, the foundational controls still matter.
“Knowing your total attack surface, testing your environment – with an eye toward efficient remediation is key,” he said.
Ford pointed to enterprise controls including visibility (logging, EDR), hardening (privileged account management, careful inventory of service accounts, and MFA for domain admin and remote access are paramount.
“There is a strong correlational reason cyber insurance underwriters care about those key controls and coverage in the application process,” he said.
Thomas Richards, principal consultant, network and red team practice director at Black Duck, noted ransomware gangs will only continue to operate so long as there is money to be made.
“The spike in attacks can probably be attributed to the gangs being able to collect a ransom and the technical capabilities of the ransomware used,” he explained.
From his perspective, understanding how ransomware initially compromises organizations will allow others to better defend themselves.
“Looking at the industries that the gangs have targeted, they’re identifying low-hanging fruit who do not have robust or mature cybersecurity programs,” Richards said.