November 18, 2024 By Josh Nadeau 4 min read

Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.

Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.

Summarizing Searchlight Cyber’s recent dark web intelligence report

Searchlight Cyber is a dark web intelligence company that provides monitoring tools and platforms used by law enforcement agencies, business enterprises and MSSPs to help identify, track and prevent ongoing cyber threats.

The company recently released a mid-year report titled “Ransomware in H1 2024: Trends from the Dark Web” that shined some more light on the current state of ransomware, specifically focusing on the activity of the most prolific ransomware groups.

In this report, statistics gathered by Searchlight Cyber show that 73 active ransomware groups are currently being tracked mid-2024 on the dark web compared to 46 groups last year — representing a 56% increase.

Some other key takeaways of the report included:

  • Identifying the top five most active ransomware groups tracked on the dark web, ranked by number of claimed ransomware victims:
    • LockBit (434 victims)
    • Play, also known as Playcrypt (178 victims)
    • RansomHub (171 victims)
    • Black Basta (130 victims)
    • 8Base (124 victims)
  • New larger ransomware groups that have emerged and are beginning to scale their operations, including:
    • DarkVault: discovered in February 2024
    • ATP73: discovered in April 2024
    • Quilong: discovered in April 2024
  • All ransomware groups with the highest victim counts operate using Ransomware-as-a-Service (RaaS) models. In these models, ransomware groups will lease out their ransomware toolkits to “affiliates,” who then pay a percentage split of profits after completing a successful attack.
Read the IBM X-Force Threat Intelligence Index

Data pulled from dark web leak sites

Luke Donovan, Searchlight Cyber’s Head of Threat Intelligence, was recently interviewed to gather an additional perspective on the findings of this report. Commenting on Searchlight Cyber’s metrics reporting, Donovan clarifies:

“Our ransomware victim numbers are largely determined by the organizations that ransomware groups list on their dark web leak sites… There are some limitations with these figures, as ransomware groups may have attacked many other organizations but decided not to list the victim publicly.

“On the flip side, there is always the possibility that ransomware groups are listing organizations that they haven’t actually attacked to boost their reputation. However, these figures broadly give a good indication of the most active ransomware groups operating on the dark web.”

What is driving the increased use of RaaS models?

RaaS models have been in use for several years now. However, as more ransomware groups come to the surface and RaaS solutions become more readily available, the dangers associated are only expected to grow.

When asked about why the RaaS model has become so successful in recent years, Donovan commented, “The success of the RaaS model really lies in its ability to scale. If the operator of the ransomware is also the same individual undertaking the attacks, there is a natural limit in how many victims they can claim at any given time. Outsourcing the attack itself to a number of ‘affiliates’ — of which, some of the biggest gangs have dozens — allows ransomware gangs to vastly increase the quantity of organizations they can hold to ransom.”

How is legal accountability balanced between RaaS operators and their affiliates?

At first glance, it may seem that some RaaS operators are looking for a certain level of insulation from legal ramifications by passing accountability over to affiliates who are responsible for carrying out the attacks. However, many countries have laws in place that hold both RaaS operators and their affiliates equally responsible for the organization and execution of cyberattacks.

“The popularity of the RaaS model is more about profitability than shifting legal accountability. If anything, running a RaaS operation increases the risk for the ransomware creators, as these gangs typically have more victims, which makes them a bigger target for law enforcement,” states Donovan.

Considering the implications of providing RaaS toolkits to untrained or undisciplined affiliates, the continued use of this model is surprising since it can create unwanted attention for the gangs themselves. This became evident in the National Crime Agency’s (NCA) recent disruption to LockBit’s operations in February 2024.

Still, the financial gains from expanding criminal activities on a mass scale are risks many ransomware groups have already proven they’re willing to take.

What security implications does the rise of ransomware groups have on businesses?

As recently mentioned, there have already been previous reports that ransomware victim numbers have declined in recent years. So, should the rise of ransomware groups be something businesses should worry about? Yes and no.

The recent disruptions in large RaaS gangs like LockBit and BlackCat have definitely contributed to the recent decrease in ransomware attacks. Another potential factor can be attributed to the general lack of skills shortage in cyber-related fields that impact both cybersecurity and cyber crime groups. However, this doesn’t mean that a resurgence of ransomware attacks isn’t on the horizon.

“What we observe right now is a more fragmented ransomware ecosystem… When large RaaS groups are disrupted, we typically see a number of smaller copycat groups emerging,” states Donovan.

As Searchlight Cyber’s report highlights, many new ransomware groups are using highly sophisticated attack methods and are increasingly motivated to own a lion’s share of the RaaS market. This is a dangerous combination, which means businesses should stay vigilant while continuously evaluating their defensive strategies to minimize their ransomware exposure.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today