The number of active ransomware gangs have risen 56% year-on-year in H1 2024, according to a new Searchlight Cyber report.
The researchers observed 73 ransomware groups in operation in H1 2024 compared to 46 in H1 2023, emphasizing the growing fragmentation of the ransomware landscape.
Read now: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”
This trend has followed law enforcement operations that have disrupted a number of high-profile ransomware-as-a-service (RaaS) groups in the past year, as well as the disappearance of BlackCat in an apparent “exit scam” after securing a ransom payment from US healthcare payment provider Change Healthcare in March 2024.
The researchers said they are now seeing smaller, lesser-known groups emerge rapidly and execute highly targeted attacks, often disappearing and re-appearing under new guises on a continual basis.
Luke Donovan, Searchlight Cyber’s Head of Threat Intelligence, commented: “As we've seen in the first half of 2024, the ransomware landscape is not just expanding, it's fragmenting. With over 70 active ransomware groups now in operation, the ransomware landscape is becoming more complex for cybersecurity professionals to navigate.”
RansomHub Emerges as Prolific Attacker
LockBit retained its place as the most prominent ransomware group in H1 2024, with 434 reported victims. This is despite being severely disrupted by a global law enforcement operation in February 2024.
The Play group, which has been operating since 2022, was in second place with 178 listed victims.
The researchers said RansomHub, the third most active group in the six-month period with 171 victims, was the most “noteworthy” group in the top five, having only emerged in February 2024.
In late August, the US government issued an advisory highlighting the operator’s extensive targeting of critical infrastructure sectors, including healthcare, water and agriculture.
BlackBasta and Base made up Searchlight’s top five list with 130 and 124 victims, respectively.
The researchers also highlighted new entrants APT73 and DarkVault, potential offshoots of LockBit, who are expected to become significant threats in the near future. They noted by giving itself an unofficial advanced persistent threat (APT) designation, APT73 is possibly trying to bolster its prestige and suggest a level of sophistication beyond simply being a financially-motivated group.
Ransomware Victims Fall in H1 2024
Encouragingly, the report highlighted a fall in the number of listed ransomware victims in H1 2024. This includes a fall of LockBit victims from 527 in H1 2023 to 434 in H1 2024.
This suggests that law enforcement operations are having some effect in protecting organizations.
“What we could be seeing is the diversification – rather than the growth – of the ransomware scene. This hypothesis would be consistent with the fact that some of the biggest ransomware players have a clearly reduced influence, suggesting that there is no longer the “market dominance” of a small number of highly prolific ransomware groups that there once was,” said the researchers.