Ransomware is a major concern for organizations today, with criminal gangs targeting companies of all sizes. The days of simply worrying about data encryption are long gone. Today, a single attack can involve quadruple extortion: ransom for the victim’s data, ransom for victim associates’ data, data exfiltration, and even SEC complaints filed by threat actors, as seen with the group ALPHV.

With ransomware’s evolving toolkit, business leaders are paying more attention to this threat. At Tandem Cyber Solutions, we don’t typically delve into threat intelligence, but we do offer a unique perspective.

This blog series will explore ransomware from the viewpoint of hackers and pen testers. Let’s start by identifying key ransomware variants and broadening our understanding from there.


Ransomware can be identified and categorized in various ways. Traditionally, ransomware was developed and deployed by the same group. For example, WannaCry was developed and deployed by the Lazarus Group.

However, this model has significantly changed. Now, malware developers often sell access to their malware in exchange for a share of the ransom. Here are three key terms to understand:

  • Affiliates: These are the threat actors who deploy the malware. They may use various types of ransomware and split their ransom payments with the RaaS groups. Think of affiliates as the delivery people of cybercrime; they don’t create the product but find a way to distribute it.
  • Ransomware as a Service (RaaS) Operators: These entities develop the ransomware and maintain its infrastructure, earning money by providing access to affiliates for a share of the ransom.
  • Ransomware Variants: These are the specific types of ransomware you hear about in the news, such as Black Basta, Conti, and LockBit.

Now that we’re on the same page, let’s dive into the numbers to understand the major players in ransomware.

Recorded Future Statistics

According to Recorded Future, the top five ransomware variants for April are LockBit, Conti, ALPHV, CL0P, and Play. This isn’t surprising if you follow the news.

  1. LockBit
  2. Conti
  3. ALPHV
  4. CL0P
  5. Play

LockBit is the top threat, with nearly three times as many victims as the runner-up, Conti. Keep in mind that Recorded Future measures victims based on posts on extortion sites, which are not always 100% accurate.

Many cyber gangs have extortion sites where they post the names of infected organizations, regardless of the number of endpoints involved. These sites are public and monitored by security companies.

Interestingly, Conti appears on this list despite allegedly disbanding in 2022. This might be due to their source code being leaked, allowing skilled individuals to modify and use it. Or as my favorite threat intel person suggested (and many others), Conti became fractionalized; dispersing into many other groups, which are now tracked collectively as Conti.

TrendMicro Statistics

TrendMicro, as an antivirus company, measures ransomware by the number of detections on endpoints. According to TrendMicro, the top detected variants are:

  1. LockBit (3.1%)
  2. Phobos (1.5%)
  3. StopCrypt (1.4%)
  4. TargetCompany (1.3%)
  5. Conti (~1.3%)

These results differ from Recorded Future’s, as TrendMicro measures detections, indicating that the ransomware was likely unsuccessful.

The detection of older versions of ransomware, like LockBit 3.0, could skew these results. If a RaaS group’s ransomware were easily detected, they would struggle to attract affiliates.

Malwarebytes Statistics

Malwarebytes measures companies that did not pay the ransom. According to Malwarebytes, the top five ransomware variants in February were:

  1. LockBit (102 known attacks)
  2. Black Basta (35)
  3. Hunters (30)
  4. ALPHV (29)
  5. PLAY (24)

LockBit leads again, but ALPHV and PLAY also appear.

This measure highlights instances where the ransomware successfully infected systems but failed to achieve extortion. Although the article did not specify, it is likely that this metric was derived from extortion sites, similar to the method used by Recorded Future.

Palo Alto explains the dynamic of extortions sites, also known as leaked sites, well:

A ransomware group might start without a leak site as it builds its infrastructure and expands operations. Furthermore, if a victim offers immediate payment, the ransomware incident might not appear on a group’s leak site. As a result, leak sites do not always provide a clear or accurate picture of a ransomware group’s activities.

Ransomware Retrospective 2024: Unit 42 Leak Site Analysis

In summary, if ransomware successfully infiltrates an organization, the attack may be listed on an extortion site. This usually happens if the ransomware group is well-established and the organization did not meet the ransom demands promptly.

What Does This Mean?

What do these statistics mean for your company’s defensive posture? LockBit is clearly the biggest threat. If you need to focus on defending against one group, LockBit is the one.

However, ransomware as a whole remains a significant threat. The White House’s 2024 Report on the Cybersecurity Posture of the United States highlights this, noting a 22% increase in reported ransomware cases and a 74% increase in associated costs from 2022 to 2023.

Defense Recommendations

In future blogs, we’ll dive deeper into ransomware techniques and defenses. For now, here are our top recommendations from a penetration testing perspective:

  1. Patch Management: Many ransomware attacks exploit vulnerabilities. A solid patching plan makes you a tougher target.
  2. Endpoint Security: Utilize antivirus, EDR, or other endpoint protection tools. They won’t stop everything but can block some threats, as indicated by TrendMicro’s statistics.
  3. Create and Test Backups: Backups won’t prevent all types of extortion but will help you recover quickly from data encryption attacks.
  4. Segmentation and Least Privileges: Lock down access, prevent lateral movement, and slow down threats to buy time for response.
  5. Network Security: Monitor for unusual traffic patterns, such as large data transfers out of the organization.
  6. Pen Testing: Regularly test your defenses. Companies like Tandem Cyber Solutions can simulate ransomware scenarios to ensure your defenses are effective.

Stay tuned for more insights in our next blog.

About Tandem Cyber Solutions

Tandem Cyber Solutions is a Offensive Cybersecurity firm that focuses on penetration testing and vulnerability scanning service. We are dedicated to reducing the barriers to great security and bringing the best cyber security possible to businesses of all sizes.


Micheal Small


Micheal has over 16 years of combined experience in Information Security, Information Technology, and Physical Security. His passion and appetite for the cyber world is unparalleled with exposure to virtually every industry, he continues to hone his skills in Incident Response, Penetration Testing, and Consulting.

Micheal Small

Micheal Small has over 16 years of combined experience in Information Security, Information Technology, and Physical Security. His passion and appetite for the cyber world is unparalleled with exposure to virtually every industry, he continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.