12-month analysis led by Huntress’ industry-defining security team reveals ransomware groups maximizing profits with quick, widespread attacks
Columbia, MD – February 11, 2025 – Hackers are getting faster, craftier, and harder to spot. Today, Huntress, the cybersecurity company purpose-built to protect businesses of all sizes, exposes their playbook with the Huntress 2025 Cyber Threat Report, an extensive analysis of hacker activity that draws insights from over three million endpoints across thousands of organizations. The report reveals how threat actors adapted their tradecraft throughout 2024, using sophisticated tools and techniques across industries to maximize efficiency and profits.
In 2024, the gap between attack sophistication on large and smaller businesses nearly disappeared. Hackers took the methods and strategies tested on larger companies and applied them to organizations of every size. Advanced evasion techniques—once exclusive to advanced persistent threats—became the new normal, including endpoint detection and response (EDR) tampering, bring your own vulnerable driver (BYOVD) privilege escalations, and User Account Control (UAC) bypasses.
The takedown of major ransomware groups like LockBit and Dharma didn’t slow down attacks either—it opened the door for smaller, more agile groups and rebranded operations. Among them, Lynx—which shares many similarities with and is widely believed to be a rebranding of INC ransomware—RansomHub, a sub-group of LockBit, and Akira all ramped up their activity significantly compared to 2023.
Over the past year, Huntress tracked ransomware incidents from Lynx, Akira, and RansomHub, with incidents from these groups increasing by 7.9%, 11.6%, and 15.3%, respectively. By giving affiliates higher percentage payouts, often reaching 80–90% of the ransom, and pursuing a quantity-over-quality approach, the three collectively accounted for 54% of all ransomware incidents observed by Huntress in 2024. These groups used 'smash-and-grab' tactics, quickly deploying ransomware, demanding payment, and hitting their goals with swift and efficient network infiltration to minimize dwell time and evade detection. While the average time-to-ransom (TTR)—the time from initial access to ransomware deployment—was shy of 17 hours, Akira and RansomHub’s came in around six hours, with Lynx not far behind at seven hours.
“Ransomware-as-a-Service (RaaS) groups like Lynx, Akira, and RansomHub have industrialized cybercrime, adopting a 'quantity over quality' approach to maximize profits. By providing affiliates with streamlined playbooks and toolkits, they've made launching attacks deceptively simple and incredibly lucrative,” said Greg Linares, Principal Threat Intelligence Analyst. “The rise of RaaS groups such as these has led to increased attacks on businesses of all sizes with sophisticated techniques, once reserved for attacks on large enterprises, now becoming commonplace.”
Key trends in the Huntress 2025 Cyber Threat Report include:
“Hacker tradecraft is evolving fast, with ransomware groups growing bolder, attacks becoming harder to detect, and phishing scams reaching new levels of sophistication,” added Jamie Levy, Director, Adversary Tactics. “To stay ahead, organizations need a well-rehearsed incident response plan, ongoing vulnerability assessments, timely patching, and security awareness training that actually sticks. Key controls like endpoint detection and response, network segmentation, and identity and access management are also critical to minimizing risk. With ransomware deployed within hours of initial access, taking proactive steps now is essential to minimizing the impact of a breach.”
Additional resources:
About Huntress
Huntress is a global cybersecurity company on a mission to make enterprise-grade products accessible to all businesses. Purpose-built from the ground up, Huntress' technology is specifically designed to continuously address the unique needs of security and IT teams of all sizes. From Endpoint Detection and Response (EDR) and Identity Threat Detection and Response (ITDR) to Security Information and Event Management (SIEM) tools and Security Awareness Training (SAT), the platform provides targeted protection for endpoints, identities, data, and employees, delivering trusted outcomes and valuable peace of mind.
Its 24/7, AI-assisted Security Operations Center (SOC) is powered by a team of world-renowned engineers, researchers, and security analysts, dedicated to stopping cyber threats before they can cause harm. Huntress is often the first to respond to major hacks and incidents, with its expert security team sharing real-time tradecraft analysis and actionable advisories with the community.
Currently safeguarding over 4 million endpoints and 2 million identities, Huntress empowers security teams, IT departments, and Managed Service Providers (MSPs) across the globe to protect their businesses with enterprise-grade security accessible to everyone.
As long as hackers keep hacking, Huntress keeps hunting. Learn more at www.huntress.com, and follow Huntress on X, Instagram, Facebook, and LinkedIn.
Contact:
+1 (650) 400-7833