In 2024, the ransomware landscape is experiencing a significant shift, with a proliferation of new extortion groups emerging alongside the continued targeting of large companies by established attackers. This surge in new groups is unprecedented, with 22 emerging in just five months compared to 22 in the previous 30-month period.
The growth of these ransomware groups can be attributed to the maturing ransomware market, the availability of attack tools, and the evolving structures of these groups. As financially motivated ransomware groups continue to rise, there has been a simultaneous decline in politically motivated hacktivist groups, indicating a shift in the threat landscape.
The emergence of ransomware groups is at an all-time high in 2024, with over 5.5 new groups identified per month. This increase is evident from the discovery of public data leak sites (DLSs) which are used by these groups to publish stolen data as a means of extortion.
Since January 2018, nearly 200 ransomware groups with DLSs have been identified, although some of these groups may be inactive or defunct. Despite efforts to take down these groups, the ease of creating new groups and the lucrative nature of ransomware attacks continue to fuel the threat landscape, with over 60 groups launching attacks in 2024 alone.
It is important to note that the number of ransomware groups does not necessarily correlate with the number of ransomware attacks. In fact, there was a 22% drop in ransomware attacks in the first quarter of 2024 compared to the last quarter of 2023. However, the increase in ransomware groups means that defenders need to be vigilant and familiarize themselves with a wider range of Tactics, Techniques, and Procedures (TTPs) used by these groups.
There were spikes in ransomware group emergence in September 2022 and April 2024, possibly linked to the dissolution of well-known ransomware groups and the leak of a ransomware builder. This underscores the fact that the emergence of new ransomware groups is not always a linear progression.
The ransomware market is thriving due to two main factors. Firstly, there is a natural evolution in which older groups refine their tactics and malware, while new groups target smaller businesses with weaker cybersecurity defenses. Secondly, the availability of Ransomware-as-a-Service (RaaS) and various strains of ransomware has lowered the barrier to entry for threat actors, making it easier for even less technical attackers to launch ransomware attacks.
According to cybersecurity experts at Cyjax, the availability of RaaS and free ransomware toolkits on cybercrime forums empowers both new and existing threat actors to form new groups and carry out attacks. This has created a cycle of growth within the ransomware landscape, with threat actors able to switch between groups and create new ones as needed.
Law enforcement efforts to disrupt ransomware groups are often hampered by challenges in attribution and extradition. Additionally, internal disputes within ransomware groups can lead to the formation of rival groups, while geopolitical tensions such as the Russia-Ukraine war can limit international cooperation and provide safe havens for ransomware actors.
The ransomware market continues to thrive due to various factors, including the abundance of potential targets, mandatory attack reporting incentivizing victims to pay ransoms quietly, the availability of tools and recruitment on cybercrime forums, the use of developing countries for testing and refining ransomware, and the profit-driven nature of ransomware which discourages collaboration among attackers.
In conclusion, the ransomware landscape in 2024 is marked by a high number of emerging ransomware groups, each posing a unique threat to organizations of all sizes. With the proliferation of new groups and evolving tactics, defenders must remain vigilant and adaptive to effectively combat the growing ransomware threat.