Security

Research

New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies

How good are your takedowns when fresh gangs are linked to previous ops, though?


At least 25 new ransomware gangs emerged in 2023, with Akira and 8Base proving the most "successful," research reveals.

The gangs were the two "success" stories of the year for cybercrooks, proving that the lure of big ransom payouts is still enough to attract significant interest from fledgling ransomware operations, despite the challenges that remain for newcomers.

For one thing, there's more and more attention from law enforcement agencies, which shut down numerous operations last year, for example, and this threatens to be a serious deterrent for this year's shenanigans. 

The high degree of competition between gangs was also listed as another reason for some groups dropping off the scene, according to researchers at Unit 42 by Palo Alto Networks. Cybercriminals must offer competitive payouts to affiliates while also offering a ransomware payload that's effective enough to attract capable criminals to their program and away from powerful competitors like LockBit and ALPHV/BlackCat.

Get your hankies ready – some gangs didn't make it...

The difficulties facing ransomware groups may explain why so many failed to survive last year. Five of the 25 newcomers didn't make it to see their first birthday, failing to register a single attack in the final six months of the year.

"A lack of leak site posts does not necessarily mean these groups have ceased operations. Criminals from these groups could have moved to other types of operations, retreated from public view, or merged with other ransomware groups," blogged Doel Santos, principal threat researcher at Unit 42.

"If some of these groups did not last the entire year, new threat actors can fill the void. The second half of 2023 revealed posts from 12 new leak sites, indicating these groups might have started later in the year."

Of the 25 new gangs identified by Unit 42, at least 12 of them are connected to pre-existing groups either as offshoots or as suspected rebrands of operations that closed down.

The full list of the new gangs from 2023 is below, including details about whether they are still active and where relevant, what other gang they're supposedly connected to.

The 25 new ransomware operations accounted for roughly a quarter of all publicly claimed ransomware incidents in 2023. 

We say "publicly claimed" because the number of actual ransomware attacks is likely to be much higher, but due to poor disclosure or paying ransoms early, we'll never get to learn about them.

Out of all the newcomers, Akira is thought to be the fastest-growing of the bunch and has so far claimed a number of major attacks, such as cosmetics giant Lush in just the past few weeks.

According to BlackFog's analysis [PDF] of January 2024's ransomware incidents, Akira laid claim to roughly 12 percent of them, making it the second-most active group of the year so far. It's hardly unsurprising if Conti is indeed behind the operation – Conti at the height of its powers was the most feared group of its time… before it imploded, of course.

That said, Wizard Spider, the heavily sanctioned gang behind Ryuk, Conti, Trickbot, and others remains (mostly) at large thanks to Russia's blind-eye approach to cybercriminals' behavior, as long as all the nastiness is directed to the West.

8Base is a group that was technically established in 2022, Santos said, but given that its leak blog didn't go live until May 2023, it's being lumped together with last year's newbies.

It started the year strongly, consistently registering more attacks than Akira, and although the latter eventually overtook 8Base by the end of the year, Unit 42's figures showed very little difference in the final numbers, suggesting it was just as effective as Akira. 

The two gangs were the standout "performers" of the 25 new operations last year and, while it wasn't included in Unit42's list, the Russian-language WereWolves group which rapidly rose to prominence towards the very end of the year looks as though it will continue to make a mark this year.

All groups will also be looking to sweep up the market share left behind by the groups that fell last year, in large part due to the work of international law enforcement agencies.

Hive, Ragnar Locker, Ransomed.vc, and Trigona were all shuttered by law enforcement last year, and authorities nearly got hold of ALPHV too but the group managed to wrestle back control during a multi-day struggle with the FBI.

The takedowns were celebrated at the time but as industry pros wound down for their Christmas holidays, the debate around ransomware payments heated up and ultimately watered down the significance of the authorities' efforts.

With no ban on ransom payments, takedowns of gangs will likely do very little. That was the consensus of many, although there is certainly a case to be made against it. ®

Send us news
1 Comment

RansomHub claims to net data hat-trick against Bologna FC

Crooks say they have stolen sensitive files on managers and players

Russia arrests one of its own – a cybercrime suspect on FBI's most wanted list

The latest in an unusual change of fortune for group once protected by the Kremlin

Interpol nabs thousands, seizes millions in global cybercrime-busting op

Also, script kiddies still a threat, Tornado Cash is back, UK firms lose billions to avoidable attacks, and more

1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole

PAN-PAN! Intruders inject web shell backdoors, crypto-coin miners, more

BT Group confirms attackers tried to break into Conferencing division

Sensitive data allegedly stolen from US subsidiary following Black Basta post

Ransomware hangover, Putin grudge blamed for vodka maker's bankruptcy

Stoli Group on the rocks in the US

Ransom gang claims attack on NHS Alder Hey Children's Hospital

Second alleged intrusion on English NHS org systems this week

SafePay ransomware gang claims Microlise attack that disrupted prison van tracking

Fledgling band of crooks says it stole 1.2 TB of data

Palo Alto Networks tackles firewall-busting zero-days with critical patches

Amazing that these two bugs got into a production appliance, say researchers

Russian spies may have moved in next door to target your network

Plus: Microsoft seizes phishing domains; Helldown finds new targets; Illegal streaming with Jupyter, and more

British hospitals hit by cyberattacks still battling to get systems back online

Children's hospital and cardiac unit say criminals broke in via shared 'digital gateway service'

Man accused of hilariously bad opsec as alleged cybercrime spree detailed

Complaint claims he trespassed, gave himself discounts, and sorted CCTV access…