Security

Research

New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies

How good are your takedowns when fresh gangs are linked to previous ops, though?


At least 25 new ransomware gangs emerged in 2023, with Akira and 8Base proving the most "successful," research reveals.

The gangs were the two "success" stories of the year for cybercrooks, proving that the lure of big ransom payouts is still enough to attract significant interest from fledgling ransomware operations, despite the challenges that remain for newcomers.

For one thing, there's more and more attention from law enforcement agencies, which shut down numerous operations last year, for example, and this threatens to be a serious deterrent for this year's shenanigans. 

The high degree of competition between gangs was also listed as another reason for some groups dropping off the scene, according to researchers at Unit 42 by Palo Alto Networks. Cybercriminals must offer competitive payouts to affiliates while also offering a ransomware payload that's effective enough to attract capable criminals to their program and away from powerful competitors like LockBit and ALPHV/BlackCat.

Get your hankies ready – some gangs didn't make it...

The difficulties facing ransomware groups may explain why so many failed to survive last year. Five of the 25 newcomers didn't make it to see their first birthday, failing to register a single attack in the final six months of the year.

"A lack of leak site posts does not necessarily mean these groups have ceased operations. Criminals from these groups could have moved to other types of operations, retreated from public view, or merged with other ransomware groups," blogged Doel Santos, principal threat researcher at Unit 42.

"If some of these groups did not last the entire year, new threat actors can fill the void. The second half of 2023 revealed posts from 12 new leak sites, indicating these groups might have started later in the year."

Of the 25 new gangs identified by Unit 42, at least 12 of them are connected to pre-existing groups either as offshoots or as suspected rebrands of operations that closed down.

The full list of the new gangs from 2023 is below, including details about whether they are still active and where relevant, what other gang they're supposedly connected to.

The 25 new ransomware operations accounted for roughly a quarter of all publicly claimed ransomware incidents in 2023. 

We say "publicly claimed" because the number of actual ransomware attacks is likely to be much higher, but due to poor disclosure or paying ransoms early, we'll never get to learn about them.

Out of all the newcomers, Akira is thought to be the fastest-growing of the bunch and has so far claimed a number of major attacks, such as cosmetics giant Lush in just the past few weeks.

According to BlackFog's analysis [PDF] of January 2024's ransomware incidents, Akira laid claim to roughly 12 percent of them, making it the second-most active group of the year so far. It's hardly unsurprising if Conti is indeed behind the operation – Conti at the height of its powers was the most feared group of its time… before it imploded, of course.

That said, Wizard Spider, the heavily sanctioned gang behind Ryuk, Conti, Trickbot, and others remains (mostly) at large thanks to Russia's blind-eye approach to cybercriminals' behavior, as long as all the nastiness is directed to the West.

8Base is a group that was technically established in 2022, Santos said, but given that its leak blog didn't go live until May 2023, it's being lumped together with last year's newbies.

It started the year strongly, consistently registering more attacks than Akira, and although the latter eventually overtook 8Base by the end of the year, Unit 42's figures showed very little difference in the final numbers, suggesting it was just as effective as Akira. 

The two gangs were the standout "performers" of the 25 new operations last year and, while it wasn't included in Unit42's list, the Russian-language WereWolves group which rapidly rose to prominence towards the very end of the year looks as though it will continue to make a mark this year.

All groups will also be looking to sweep up the market share left behind by the groups that fell last year, in large part due to the work of international law enforcement agencies.

Hive, Ragnar Locker, Ransomed.vc, and Trigona were all shuttered by law enforcement last year, and authorities nearly got hold of ALPHV too but the group managed to wrestle back control during a multi-day struggle with the FBI.

The takedowns were celebrated at the time but as industry pros wound down for their Christmas holidays, the debate around ransomware payments heated up and ultimately watered down the significance of the authorities' efforts.

With no ban on ransom payments, takedowns of gangs will likely do very little. That was the consensus of many, although there is certainly a case to be made against it. ®

Send us news
1 Comment

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Theories abound over who's truly responsible

Ransomware gang <em>did</em> steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

INC Ransom claims to be behind 'cyber incident' at UK city council

This follows attack on NHS services in Scotland last week

UK businesses shockingly unaware of how to handle security threats

Many decide to make no changes after detecting a breach

INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Security pioneer Ross Anderson dies at 67

A man with a list of accolades long enough for several lifetimes, friends remember his brilliance

Nearly 3M people hit in Harvard Pilgrim healthcare data theft

Also, TheMoon botnet back for EoL SOHO routers, Sellafield to be prosecuted for 'infosec failures', plus critical vulns

X fixes URL blunder that could enable convincing social media phishing campaigns

Poorly implemented rule allowed miscreants to deceive users with trusted URLs

Puppies, kittens, data at risk after 'cyber incident' at veterinary giant

IT systems pulled offline for chance to paws and reflect

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat