New ransomware groups help drive surge in attacks

New operators accounted for a quarter of all data leaked from multi-point ransomware attacks so far this year. 

Helsinki, Finland – November 16, 2023: Ransomware has been a perennial security problem for many years, and that’s largely in thanks to the groups’ ability to reinvent themselves. According to new research from WithSecure™ (formerly known as F-Secure Business), the number of new multi-point extortion ransomware groups surged during the first three quarters of 2023.

Ransomware—a type of malicious software (malware) that steals control of machines or data—has become a massive source of revenue for cyber criminals at the expense of people, organizations, and even governments all over the world.

While its prevalence has remained consistent for several years, other aspects of the threat have changed.

For the past few years, a number of gangs have gained notoriety by using multi-point extortion ransomware attacks, which involve using several methods to pressure victims into paying a ransom to regain control of their data. Often, these groups both encrypt data, and steal it to publish online unless they’re paid.

A new analysis of data leaked on sites operated by these multi-point extortion ransomware operators indicates that many new groups have become active in this space during 2023. Out of the 60 multi-point extortion ransomware gangs whose activities WithSecure has tracked during the first nine months of 2023, 29 are new. 

According to Threat Intelligence Analyst Ziggy Davies, the new groups largely follow playbooks established by existing operators, but play a key role in sustaining the amount of ransomware attacks facing organizations.

“Code and other aspects of one particular cyber crime operation end up getting used elsewhere because groups and their members often recycle the same resources when they change who they work for or with. Many of the new groups we’ve seen this year have clear lineage in older ransomware operations. For example, Akira and several other groups share many similarities with the now-defunct Conti group, and are likely former Conti affiliates,” said Davies.

The analysis produced several other notable insights about multi-point extortion ransomware attacks in 2023 to date, including:

• In the first three quarters of 2023, there was a 50% increase in data leaks from ransomware groups compared to the same period from the previous year.
• Lockbit accounted for the biggest share of the leaks (21%).
• The 5 groups with the most leaks (8Base, Alphv/BlackCat, Clop, LockBit, and Play) accounted for over 50% of the total.
• Approximately 25% of data leaks included in the analysis were from ransomware groups that began operations in 2023.
• Only 6 of the 60 groups posted victims every single month of 2023 (to date).

While cyber criminals look to be more interested in ransomware than ever before, the degree to which these groups recycle each other’s playbooks does provide defenders with some advantages.

“Ransomware remains an effective moneymaker for cyber criminals, so they’ll mostly stick to the same basic playbook rather than come up anything really new or unexpected. This makes them pretty predictable, which is good for defenders because they know what they’re up against,” said Davies.

The full analysis is available at https://www.withsecure.com/en/expertise/blog-posts/2023-ransomware-rookies-are-a-remix-of-conti-and-other-classics.

WithSecure™ media relations
Adam Pilkey
+358406378859