The company has uncovered that new ‘threat actor’ groups are helping to drive a surge in attacks, with new operators accounting for a quarter of all data leaked from ransomware attacks so far this year.
New groups have been found to largely follow established playbooks that often have lineage from older operations. Given that data leaks from ransomware attacks have effectively doubled in the first three quarters of 2023, the WithSecure report highlights a need for businesses and private users to protect themselves.
Ransomware gangs ramp up activity, with Lockbit leading charge
Ransomware, a type of malicious software that steals control of machines or data, has become a massive source of revenue for cybercriminals at the expense of people, organisations and governments.
Whilst new groups largely follow playbooks established by existing operators, they also play a key role in sustaining the amount of ransomware attacks facing organisations. Ransomware has been a security issue for many years in part due to criminal groups being able to reinvent themselves.
According to WithSecure’s research, the number of new multi-point extortion ransomware groups surged during the first three quarters of 2023. Notably, Lockbit is currently leading in the amount of leaked data (21%), while the top five groups accounted for more than 50% of total leaks.
Research states that the five criminal groups with the most leaks are: 8Base, Alphy/BlackCat, Cl0p, Play and Lockbit. Approximately 25% of data leaks included in the research were from ransomware groups that only began operating in 2023 - highlighting that new groups are a clear concern.
Out of the 60 multi-point extortion ransomware gangs whose activities WithSecure has tracked during the first nine months of 2023, 29 are new.
New cybercriminals with ‘clear lineage’ in older operations
Over the past few years, cyber gangs have gained notoriety by using multi-point extortion ransomware attacks, which involves using several methods to pressure victims into paying a ransom to regain control of their data. WithSecure states that these groups will often encrypt data and steal it to publish online unless they are paid.
WithSecure Threat Intelligence Analyst Ziggy Davies says: “Code and other aspects of one particular cyber crime operation end up getting used elsewhere because groups and their members often recycle the same resources when they change who they work for or with. Many of the new groups we’ve seen this year have clear lineage in older ransomware operations.”
While cyber criminals look to be more interested in ransomware than ever before, the degree to which these groups recycle each other’s playbooks does provide defenders with some advantages.
Davies continues: “Ransomware remains an effective moneymaker for cyber criminals, so they’ll mostly stick to the same basic playbook rather than come up with anything really new or unexpected. This makes them pretty predictable, which is good for defenders because they know what they’re up against.”
Please also check out our upcoming event - Net Zero LIVE on 6 and 7 March 2024.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.