Active Ransomware Groups Increase by 57% as Ransomware Landscape Fragments
There has been a significant increase in the number of ransomware groups conducting attacks, according to Searchlight Cyber. In H1, 2023, Searchlight Cyber identified 46 active ransomware groups from posts to dark web data leak sites, with the number of active groups increasing by 57% in H1, 2024 to 72 active groups.
In the first half of 2024, 2,879 organizations have been added to ransomware groups’ data leak sites, which is a 50% increase from H1, 2023, although a 16% decrease from H2, 2023. It is important to note that there was an increase in attacks in the second half of 2023 when the number of victims added to ransomware groups’ data leak sites was at the highest level since ransomware groups started adopting data theft and leak tactics in addition to file encryption.
There has been some fluctuation in the most prolific ransomware groups in the first half of the year. LockBit has retained its position as the most active ransomware group, despite efforts by law enforcement to disrupt its operation. At least 434 victims were added to the LockBit data leak site in H1, 2024, making Lockbit the most prolific ransomware group by some distance, although attacks are down from last year when the group added 527 victims to its data leak site in the first half of 2023.
Play ransomware took second spot with 178 victims, a sizeable increase from the 119 attacks conducted in H1, 2023. A relatively new ransomware group, RansomHub, hit the ground running and has taken 3rd spot with 171 attacks in H1, 2024. The group emerged in February 2024 and has been actively recruiting affiliates from other ransomware operations, including LockBit and ALPHV/Blackcat, helped by the law enforcement actions against both groups and especially the shutdown of the latter following its attack on Change Healthcare and its exit scam, where the group took the $22 million ransom payment and didn’t pay the affiliate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Ransom Hub was also involved in the Change Healthcare ransomware attack, having obtained the stolen data from the unpaid BlackCat affiliate. The group issued a ransom demand to Change Healthcare to prevent the leaking/sale of the stolen data. RansomHub has conducted several attacks on the healthcare sector and was the subject of a recent cybersecurity alert from the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.
BlackBasta took 4th spot and also increased its attacks from 88 victims in H1, 2023 to 130 in H1, 2024, with 8Base rounding out the top 5 with 124 attacks, up slightly from the 107 attacks conducted in H1, 2023. All of the groups in the top five are ransomware-as-a-service operations, which use affiliates to conduct attacks for a cut of any ransoms they generate.
The researchers identified a growing trend where smaller ransomware groups emerge, conduct targeted attacks, and then disappear, emerging later under a different name and repeating that process. These tactics help these groups stay under the radar and avoid law enforcement attention and complications from sanctions from the Office of Foreign Assets Control. What is clear from the data is the ransomware landscape is continuing to expand, albeit at a relatively slow rate, while also fragmenting, which Luke Donovan, head of Threat Intelligence at Searchlight Cyber, says is making it harder for cybersecurity professionals to navigate the threat landscape.
“What we could be seeing is the diversification – rather than the growth – of the ransomware scene,” suggests Donovan. “This hypothesis would be consistent with the fact that some of the biggest ransomware players have a clearly reduced influence, suggesting that there is no longer the “market dominance” of a small number of highly prolific ransomware groups that there once was.”
The efforts of law enforcement to disrupt the activity of ransomware groups appear to be having an effect. These measures include infrastructure seizures, sanctions, the release of decryption tools, public-private partnerships, and arrests and prosecutions; however, as Searchlight Cyber’s data shows, ransomware remains an ever-present threat.
Donovan suggests several measures to improve defenses against attacks, including replacing outdated IT equipment, adhering to cybersecurity best practices, conducting risk analyses to identify potential vulnerabilities, and taking action to proactively address weak points. He also suggests taking advantage of dark web threat intelligence tools to discover how ransomware groups are targeting organizations and the tactics being used, and using that information to proactively implement measures to combat the threat.
