The aggressive dismantling of the LockBit ransomware group and the subsequent humiliation of its key members has emerged as one of the most significant cybersecurity achievements in the past year. However, according to raw data, this action doesn’t seem to have deterred cyber criminals.
The 2024 State of the Threat Report from Secureworks highlights a 30% increase in active ransomware groups utilizing name-and-shame leak sites compared to the previous year, with 31 new actors joining the fray between June 2023 and July 2024. Despite the LockBit takedown occurring in February, which saw the group responsible for 17% of ransomware listings during the reporting period—a decline of 8% from the previous year due to disruptions from the UK’s National Crime Agency (NCA) and its Operation Cronos—new players are swiftly emerging in the landscape.
The notorious BlackCat/ALPHV group experienced a similar fate at the hands of law enforcement and subsequently withdrew its operations, potentially indicating an exit scam. Meanwhile, Clop/Cl0p, after exploiting the MOVEit file transfer compromise in 2023 to target numerous victims, has also seen a decrease in activity.
Conversely, the Play ransomware group has doubled its victim count year-on-year, and a new group called RansomHub—emerging shortly after LockBit’s downfall—quickly became the third most active group, claiming a 7% share of listed victims. The group Qilin is also making strides, notably with its high-profile assault on NHS partner Synnovis.
Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit (CTU), noted, “Ransomware operates as a business inherently reliant on its affiliate model. In the last year, law enforcement actions have disrupted old alliances and transformed the landscape of cybercrime. Originally disorganized, threat actors have streamlined their operations, resulting in a proliferation of groups accompanied by significant affiliate migration.”
Smith further cautioned that as the ecosystem matures, there is both entropy within threat groups and unpredictability in their methodologies, complicating defenses for network security teams.
More Gangs, Fewer Victims
Despite the increase in active gangs, the number of victims hasn’t risen correspondingly, possibly indicating that groups are navigating a more fragmented environment. The CTU team observed considerable affiliate movement within the ransomware landscape, which could be influencing this phenomenon. Numerous ransomware incidents in the past year involved victims appearing on multiple sites, likely due to affiliates seeking new avenues in a chaotic ecosystem.
The last year has undoubtedly been tumultuous, with analysts at Secureworks commenting on the diversification of the ransomware landscape. Previously dominated by a few large operations, the scene is now characterized by a wider array of cybercriminals. This evolution could lead to a more perilous “Wild West” environment, where smaller groups operate with less accountability and structure. A noticeable decline in median dwell times this year suggests that criminals are rapidly executing smash-and-grab attacks.
As this new ecosystem develops in the months ahead, Secureworks anticipates increased variation and shifts in attack strategies. Some of the emerging tactics observed include a growing trend of ransomware groups stealing credentials and session cookies for adversary-in-the-middle (AitM) attacks, also known as man-in-the-middle (MitM) attacks, using phishing kits like EvilProxy or Tycoon2FA sourced from the dark web. This trend poses significant concerns for defenders, as it may undermine the effectiveness of certain forms of multifactor authentication (MFA).
Moreover, ransomware gangs are not immune to the allure of artificial intelligence (AI). Since the introduction of ChatGPT nearly two years ago, discussions within the criminal community have focused on utilizing such models for illicit purposes, primarily for phishing activities, but some applications have taken on novel forms.
In a case examined by Secureworks, a criminal group tracked Google trends following a celebrity’s death to gauge interest in obituaries, then generated tributes using AI on malicious sites that were artificially boosted to the top of search results via SEO poisoning. These sites could serve as a conduit for spreading malware or ransomware.
Smith concluded, “The cybersecurity landscape is in constant flux, with changes occurring that range from minor to significant. The rising usage of AI amplifies threats for bad actors, while the increase in AitM attacks poses an urgent challenge for organizations, underscoring that identity is the new perimeter. This reality should prompt businesses to reevaluate their defensive strategies.”