The highest monthly volume of global ransomware attacks ever recorded occurred in December 2024, according to NCC Group’s latest Threat Pulse report.
The security firm detected 574 ransomware attacks during the month, which is the highest number since it began monitoring ransomware activity in 2021.
NCC Group noted that there is traditionally a drop-off in the ransomware attacks in December, likely due to the holiday season.
“This year, however, we observed a break in tradition with the highest numbers for December on record, highlighting the evolving and increasingly aggressive nature of ransomware threats,” the researchers wrote.
FunkSec Group Most Active Threat Actor
The report found that the recently identified ransomware-as-a-service actor FunkSec was the most active in December 2024, responsible for 103 attacks. This is around a fifth (18%) of all ransomware attacks recorded in the month.
NCC Group highlighted the threat actor’s versatility, having targeted multiple countries, including the US, India, France and Thailand.
It also targeted a range of sectors, such as healthcare, manufacturing, technology, government and media.
FunkSec employs double extortion tactics, involving both encrypting and exfiltrating files on victim devices. It operates a Tor based data leak site which features breach announcements, an in house distributed denial-of-service (DDoS) tool and placeholders for future ransomware capabilities.
Ian Usher, Associate Director – Threat Intelligence Operations and Service Innovation at NCC Group, commented: “The rise of new and aggressive actors, like Funksec, who have been at the forefront of these attacks is alarming and suggests a more turbulent threat landscape heading into 2025. If ransomware groups are becoming bolder and more advanced, we can expect more frequent and widespread attacks, putting every sector and region at risk.”
A Check Point report on January 10 revealed that FunkSec claimed to have targeted 85 victims in December alone. It also highlighted the group’s use of AI-assisted malware development.
The second most active ransomware group in December was Clop with 68 attacks, followed by Akira with 43 attacks and RansomHub with 41 attacks, according to NCC Group data.
Read now: The Top 10 Most Active Ransomware Groups of 2024
Asia Suffers Spike in Ransomware Attacks
There was a 58% month-on-month rise in attacks targeting Asia in December, from 58 attacks in November to 92.
Attacks targeting South America also rose in this period, from 35 to 40.
North America remained the most targeted region in December, accounting for 52% of ransomware attacks. However, the volume of attacks (300) targeting the region fell compared to November (326).
Europe was the second most targeted region, with 18% of attacks (100 attacks).
Industrials was the most heavily targeted sector in the month, facing 24% of all attacks (136). This is a trend that has been “routinely observed” by NCC Group researchers.
