December 2024 broke records for ransomware attack volumes, according to data released by cyber security firm NCC Group, which said it saw a total of 574 confirmed incidents last month and a new threat actor referred to as Funksec accounted for more than 100 of them.
This was the highest level of attacks observed by NCC’s analysts since the organisation first published its monthly Threat Pulse index back in 2021, rising from 565 in November 2025 and topping December 2023’s figure of 387 by some margin. The industrials sector once again held the dubious honour of being the most attacked vertical, and North America and Europe were the most attacked regions.
“December is usually a much quieter time for ransomware attacks, but last month saw the highest number of ransomware attacks on record, turning that pattern on its head,” said NCC associate director of threat intelligence operations and service innovation, Ian Usher.
“The data should serve as a wake-up call. No organisation is immune, and the best defence is to stay ahead of the curve. Companies need to double down on their cyber security measures and ensure that their teams are trained and prepared to evolve with the changing nature of ransomware threats.”
Slam dunk (da funk)
NCC said there were many factors in play that could have contributed to the growth in attack volumes, ranging from old favourites such as poor organisational security measures and awareness, to the use of new technologies, such as artificial intelligence (AI) to support attacks.
Whilst there is precisely zero evidence to directly implicate any AIs in December’s attacks, the security community has been warning for almost two years that such tools are being used to enhance ransomware attacks through enhanced information gathering to select likely targets and support phishing campaigns against them.
Emergent cyber extortion gang Funksec appears to have driven at least part of this alarming increase. According to analysts at Check Point, it may be among those using AI to scale its operations and manage its campaigns.
NCC confirmed 103 attacks were attributable to the gang in the space of just 31 days – Check Point said it observed 85 – significantly outpacing Clop/Cl0p with 68 confirmed attacks, Akira with 43, and RansomHub with 41.
Funksec uses standard double extortion techniques and appears to be somewhat indiscriminate in its targeting, with victims reported in France, India, Thailand and the United States among others, and in a range of sectors, including government, healthcare, manufacturing, media and technology.
However, according to Check Point, many of its claims have been flagged as recycled, forged, or unverified, and there are significant questions about Funksec’s credibility and capabilities. Its research team also suggested the gang may have links to Algeria, suggesting a blended financial-hacktivism motivation that sets it apart from other gangs.
Regardless of the threat it poses, NCC said the gang was clearly versatile, and would be worth watching in 2025.
“The rise of new and aggressive actors, like Funksec, who have been at the forefront of these attacks is alarming and suggests a more turbulent threat landscape heading into 2025. If ransomware groups are becoming bolder and more advanced, we can expect more frequent and widespread attacks, putting every sector and region at risk,” said Usher.
Landmark year
Although statistics vary according to which of the many observers’ data one reads, there is little doubt that 2024 was a stand-out year for ransomware, even reckoning with successful takedowns against the likes of LockBit.
Taking the year as a whole, analysts at ZeroFox said they saw a total of 4,950 ransomware and digital extortion incidents in 2024, up from about 4,000 in 2023. This figure represents mainly incidents in which victims did not pay or were still tied up in negotiations, suggesting the true number was, as always, much higher.
ZeroFox said it identified 45 new ransomware gangs during 2024, with many of them spinning up quickly, establishing remarkably consistent operations, and becoming a genuine threat to businesses much faster than previously observed.
It said the diversification of the community was very likely down to a combination of law enforcement actions freeing up individuals previously associated with LockBit and ALPHV/Black Cat, and the continued professionalisation of underground cyber criminal marketplaces and ransomware-as-a-service operations, meaning the ransomware economy is paying out more, and becoming more accessible to people who might otherwise not be drawn into cyber crime.
Funksec’s campaign aside, RansomHub in particular appears to have been the most prominent riser across the 12 month period, going from five attacks in February to 97 in November, representing about 10% of all observed incidents and carrying out 216 known attacks in Q4 alone.
It said the gang was technically adept and quick to evolve its toolset, deploying new capabilities designed to foil endpoint detection and response (EDR) processes in August, and collaborating with other affiliate operatives.