Six ransomware gangs behind over 50% of 2024 attacks

Plus many more newbies waiting in the wings

Despite a law enforcement takedown six months ago, LockBit 3.0 remains the most prolific encryption and extortion gang, at least so far, this year, according to Palo Alto Networks' Unit 42.

Of the 53 ransomware groups whose underworld websites, where the crooks name their victims and leak stolen data, that the incident response team monitored, just six accounted for more than half of the total infections observed.

For its analysis, Unit 42 reviewed announcements posted on these crews' dedicated leak sites during the first six months of 2024 and counted 1,762 posts, which represents a 4.3 percent year-over-year increase from 2023. 

Before we get into the top six gangs' victims count, a note on how Unit 42 tracks nation-state and cybercrime groups: It combines a modifier with a constellation. And Scorpius is the lucky constellation that Unit 42 connects to ransomware gangs. Here's the master list, plus the common akas. 

We're going to go with the common akas, with Unit 42's names in parenthesis on first reference, because while we doubt anyone outside of the security shop is familiar with "Flighty Scorpius," LockBit, on the other hand, is basically a household name.

(Plus, note to Unit 42: you are going to start running out of workable modifiers pretty soon.)

Also, these figures compare the first half of 2024 with full year 2023.

Over the first half of 2024, LockBit 3.0 (Flighty Scorpius) posted 325 victims on its leak site, compared to 928 in all of 2023. This was more than enough to land the crew in the No. 1 spot at the halfway mark.

Coming in second: the Play (Fiddling Scorpius) gang named 155 victims during 2024 H1, compared to 267 last year. This jump moved the group up from the No. 4 spot in 2023 to second place so far this year.

Meanwhile 8base (Squalid Scorpius), a relative newcomer from last year that is believed to be a rebrand of Phobos, came in third during the first half of 2024 with 119 claimed victims. In 2023, the criminals claimed 188 victims, which put them in sixth position.

Akira (Howling Scorpius), dubbed the next big thing in ransomware, came in at No. 4, with 119 victims so far this year. For comparison: during 2023 it posted 192 victims and took fifth place.

BlackBasta (Dark Scorpius), with 114 victims, was the fifth most prolific ransomware gang between January and June. It didn't even make the top six last year.

And finally, Medusa (Transforming Scorpius) allegedly infected 103 victims so far this year. It also didn't make the top six in 2023.

A couple notable gangs absent from this year's list include ALPHV/BlackCat (Ambitious Scorpius), which came in second last year with 388 victims, and the No. 3-ranked CLOP (Chubby Scorpius), with 364 victims in 2023.

The report also notes several high-profile disruptions that happened earlier this year and late in 2023.

"Takedowns of prominent ransomware groups, forums and individuals in the first half of the year have created ripples throughout the criminal ecosystem," the report noted.

In December 2023 an FBI-led operation seized ALPHV/BlackCat's websites and released a decryption tool for its ransomware.

That didn't completely derail the crew, which roared back to life when an affiliate locked up Change Healthcare's IT systems and shut down pharmacies across the US. ALPHV pulled an exit scam shortly after the ransom was allegedly paid. 

Then in February, we saw the NCA-led takedown of the LockBit 3.0 Tor site and the unmasking and sanctioning of its leader, Dmitry Khoroshev, aka LockbitSupp a month later.

In May, international cops took control of the website and Telegram channel belonging to ransomware brokerage site BreachForums. A month later, they arrested the leader of Scattered Spider, another APLHV affiliate.

Of course, these law enforcement takedowns can feel like a game of whack-a-mole, as many of the criminal websites come back under a new name and new administrator (like BreachForums has, several times over the years and most recently in June).  

Plus, some of the gangs successfully rebrand and many of the ransomware-as-a-service group's affiliates scatter to other criminal organizations following a bust. And, as Unit 42 has noted in the report, there are plenty of newcomers eager to step up and move into this lucrative criminal ecosystem.

All of these factors likely play a role in the overall slight increase in reported ransomware infections year-over-year.

Some of the newcomers that Unit 42 tracks include:

  • Spoiled Scorpius (Distributors of RansomHub)
  • Slippery Scorpius (Distributors of DragonForce)
  • Burning Scorpius (Distributors of LukaLocker)
  • Alpha/MyData ransomware
  • Trisec ransomware
  • DoNex ransomware
  • Quilong ransomware
  • Blackout ransomware

Meanwhile, a new ransomware strain named Brain Cipher emerged in June 2024 after a crew hacked Indonesia's Temporary National Data Center (PDNS) and disrupting the country's services. That malware code is reportedly based on LockBit 3.0. 

"We analyzed a Brain Cypher sample used in an attack against an Indonesian target, and our existing LockBit 3.0 prevention and detection signatures also worked on this sample," Unit 42 said.

"Even with law enforcement's best efforts to dismantle and stamp out the most prolific ransomware threat actors, plenty of highly skilled and motivated groups are waiting, willing to step in and fill the void," the threat hunters surmise. 

"The success and subsequent explosion of ransomware in the past few years have led to an ever-increasing pool of individuals and groups gambling for their chance at fame and fortune." ®

More about

TIP US OFF

Send us news


Other stories you might like