New ransomware groups help drive surge in attacks

New operators accounted for a quarter of all data leaked from multi-point ransomware attacks so far this year.
Ransomware remains an effective moneymaker for cyber criminals.
Ransomware remains an effective moneymaker for cyber criminals.

Ransomware has been a perennial security problem for many years, and that’s largely in thanks to the groups’ ability to reinvent themselves. According to new research from WithSecure (formerly known as F-Secure Business), the number of new multi-point extortion ransomware groups surged during the first three quarters of 2023.

Ransomware – a type of malicious software (malware) that steals control of machines or data – has become a massive source of revenue for cyber criminals at the expense of people, organisations and even governments all over the world.

While its prevalence has remained consistent for several years, other aspects of the threat have changed.

For the past few years, a number of gangs have gained notoriety by using multi-point extortion ransomware attacks, which involve using several methods to pressure victims into paying a ransom to regain control of their data. Often, these groups both encrypt data and steal it to publish online unless they’re paid.

A new analysis of data leaked on sites operated by these multi-point extortion ransomware operators indicates that many new groups have become active in this space during 2023. Out of the 60 multi-point extortion ransomware gangs whose activities WithSecure has tracked during the first nine months of 2023, 29 are new.

According to Threat Intelligence Analyst Ziggy Davies, the new groups largely follow playbooks established by existing operators, but play a key role in sustaining the amount of ransomware attacks facing organisations.

“Code and other aspects of one particular cyber crime operation end up getting used elsewhere because groups and their members often recycle the same resources when they change who they work for or with. Many of the new groups we’ve seen this year have clear lineage in older ransomware operations. For example, Akira and several other groups share many similarities with the now-defunct Conti group, and are likely former Conti affiliates,” said Davies.

The analysis produced several other notable insights about multi-point extortion ransomware attacks in 2023 to date, including:

  • In the first three quarters of 2023, there was a 50% increase in data leaks from ransomware groups compared to the same period from the previous year.
  • Lockbit accounted for the biggest share of the leaks (21%).
  • The five groups with the most leaks (8Base, Alphv/BlackCat, Clop, LockBit and Play) accounted for over 50% of the total.
  • Approximately 25% of data leaks included in the analysis were from ransomware groups that began operations in 2023.
  • Only six of the 60 groups posted victims every single month of 2023 (to date).

While cyber criminals look to be more interested in ransomware than ever before, the degree to which these groups recycle each other’s playbooks does provide defenders with some advantages.

“Ransomware remains an effective moneymaker for cyber criminals, so they’ll mostly stick to the same basic playbook rather than come up anything really new or unexpected. This makes them pretty predictable, which is good for defenders because they know what they’re up against,” said Davies.

The full analysis is available at https://www.withsecure.com/en/expertise/blog-posts/2023-ransomware-rookies-are-a-remix-of-conti-and-other-classics.

Share

WithSecure

WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.

Editorial contacts