Searchlight Cyber1 reported a 57% increase in the number of active ransomware groups. In H1 of 2023, 46 active ransomware groups were identified from posts on dark web data leak sites compared to 72 active groups in H1 of 2024.
In H1 of 2024, 2,879 organizations were listed on the ransomware groups’ data leak sites, registering a 50% increase from H1 of 2023, but a 16% decrease from H2 of 2023. Attacks in the second half of 2023 increased as the number of victims listed on ransomware groups’ data leak sites was at its highest. The increase is attributed to the adoption of data theft and leak tactics by ransomware groups aside from file encryption.
The activity of the most prolific ransomware groups fluctuated in the first half of 2024. LockBit remained the most active ransomware group, though law enforcement disrupted its operations for a time. LockBit added at least 434 victims to its data leak site in H1 of 2024, which is lower compared to the 527 victims added in H1 of 2023.
The second most active group is Play ransomware with 178 victims, which is higher than the 119 victims in H1 of 2023. The third most active ransomware group is RansomHub with 171 attacks in H1of 2024. This relatively new group appeared in February 2024, and actively recruited affiliates from other ransomware groups, such as LockBit and ALPHV/Blackcat.
Ransom Hub had benefited from the Change Healthcare ransomware attack as it acquired the stolen information from the unpaid BlackCat affiliate. It demanded ransom from Change Healthcare to stop the exposure/sale of the stolen information. RansomHub has targeted several organizations in the healthcare sector and was the focus of a cybersecurity alert issued by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services.
BlackBasta is the 4th most active group with 88 victims in H1 of 2023 and 130 victims in H1 of 2024. 8Base is the 5th most active group with 124 attacks, slightly higher by 17 attacks in H1 of 2023. The five groups mentioned are considered ransomware-as-a-service operations, using affiliates to perform attacks and giving them a cut of the ransoms they made.
The Searchlight Cyber1 researchers noted a trend of emerging smaller ransomware groups, which conduct targeted attacks and then disappear, appearing later with a new name and doing the same things. This strategy helps these groups steer clear of law enforcement attention and sanctions from the Office of Foreign Assets Control.
Luke Donovan, head of Threat Intelligence at Searchlight Cyber, says that the diversification in the ransomware scene is making it difficult for cybersecurity experts to describe the threat landscape. It seems that the highly prolific ransomware groups no longer have “market dominance” as they once had.
The disruption caused by law enforcement on the activity of ransomware groups seems to have an impact. Law enforcement measures include sanctions, infrastructure seizures, the availability of decryption tools, public-private partnerships, arrests, and prosecutions. Nevertheless, as per Searchlight Cyber’s data, ransomware still presents a threat.
To improve defenses against attacks, the following actions are recommended and important for HIPAA compliance:
- Replacing obsolete IT equipment
- Following cybersecurity best practices
- Performing risk analyses to determine potential vulnerabilities
- Taking steps to proactively deal with weaknesses
- Using dark web threat intelligence tools to know the tactics of ransomware groups and implement measures to fight the threat.
Photo credits: Gorodenkoff, AdobeStock