Light Dark
November 18, 2024 By Josh Nadeau 4 min read
News

Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.

Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.

Summarizing Searchlight Cyber’s recent dark web intelligence report

Searchlight Cyber is a dark web intelligence company that provides monitoring tools and platforms used by law enforcement agencies, business enterprises and MSSPs to help identify, track and prevent ongoing cyber threats.

The company recently released a mid-year report titled “Ransomware in H1 2024: Trends from the Dark Web” that shined some more light on the current state of ransomware, specifically focusing on the activity of the most prolific ransomware groups.

In this report, statistics gathered by Searchlight Cyber show that 73 active ransomware groups are currently being tracked mid-2024 on the dark web compared to 46 groups last year — representing a 56% increase.

Some other key takeaways of the report included:

  • Identifying the top five most active ransomware groups tracked on the dark web, ranked by number of claimed ransomware victims:
    • LockBit (434 victims)
    • Play, also known as Playcrypt (178 victims)
    • RansomHub (171 victims)
    • Black Basta (130 victims)
    • 8Base (124 victims)
  • New larger ransomware groups that have emerged and are beginning to scale their operations, including:
    • DarkVault: discovered in February 2024
    • ATP73: discovered in April 2024
    • Quilong: discovered in April 2024
  • All ransomware groups with the highest victim counts operate using Ransomware-as-a-Service (RaaS) models. In these models, ransomware groups will lease out their ransomware toolkits to “affiliates,” who then pay a percentage split of profits after completing a successful attack.
Read the IBM X-Force Threat Intelligence Index

Data pulled from dark web leak sites

Luke Donovan, Searchlight Cyber’s Head of Threat Intelligence, was recently interviewed to gather an additional perspective on the findings of this report. Commenting on Searchlight Cyber’s metrics reporting, Donovan clarifies:

“Our ransomware victim numbers are largely determined by the organizations that ransomware groups list on their dark web leak sites… There are some limitations with these figures, as ransomware groups may have attacked many other organizations but decided not to list the victim publicly.

“On the flip side, there is always the possibility that ransomware groups are listing organizations that they haven’t actually attacked to boost their reputation. However, these figures broadly give a good indication of the most active ransomware groups operating on the dark web.”

What is driving the increased use of RaaS models?

RaaS models have been in use for several years now. However, as more ransomware groups come to the surface and RaaS solutions become more readily available, the dangers associated are only expected to grow.

When asked about why the RaaS model has become so successful in recent years, Donovan commented, “The success of the RaaS model really lies in its ability to scale. If the operator of the ransomware is also the same individual undertaking the attacks, there is a natural limit in how many victims they can claim at any given time. Outsourcing the attack itself to a number of ‘affiliates’ — of which, some of the biggest gangs have dozens — allows ransomware gangs to vastly increase the quantity of organizations they can hold to ransom.”

How is legal accountability balanced between RaaS operators and their affiliates?

At first glance, it may seem that some RaaS operators are looking for a certain level of insulation from legal ramifications by passing accountability over to affiliates who are responsible for carrying out the attacks. However, many countries have laws in place that hold both RaaS operators and their affiliates equally responsible for the organization and execution of cyberattacks.

“The popularity of the RaaS model is more about profitability than shifting legal accountability. If anything, running a RaaS operation increases the risk for the ransomware creators, as these gangs typically have more victims, which makes them a bigger target for law enforcement,” states Donovan.

Considering the implications of providing RaaS toolkits to untrained or undisciplined affiliates, the continued use of this model is surprising since it can create unwanted attention for the gangs themselves. This became evident in the National Crime Agency’s (NCA) recent disruption to LockBit’s operations in February 2024.

Still, the financial gains from expanding criminal activities on a mass scale are risks many ransomware groups have already proven they’re willing to take.

What security implications does the rise of ransomware groups have on businesses?

As recently mentioned, there have already been previous reports that ransomware victim numbers have declined in recent years. So, should the rise of ransomware groups be something businesses should worry about? Yes and no.

The recent disruptions in large RaaS gangs like LockBit and BlackCat have definitely contributed to the recent decrease in ransomware attacks. Another potential factor can be attributed to the general lack of skills shortage in cyber-related fields that impact both cybersecurity and cyber crime groups. However, this doesn’t mean that a resurgence of ransomware attacks isn’t on the horizon.

“What we observe right now is a more fragmented ransomware ecosystem… When large RaaS groups are disrupted, we typically see a number of smaller copycat groups emerging,” states Donovan.

As Searchlight Cyber’s report highlights, many new ransomware groups are using highly sophisticated attack methods and are increasingly motivated to own a lion’s share of the RaaS market. This is a dangerous combination, which means businesses should stay vigilant while continuously evaluating their defensive strategies to minimize their ransomware exposure.

 |  |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

October 21, 2024

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature