Researchers from WithSecure have published a report stating that half of the 60 ransomware groups tracked during 2023 began their operations this year, the security vendor has claimed.
More established groups like (8Base, BlackCat, Clop, LockBit and Play) accounted for over half of data leaks in the first nine months of 2023, the new wave of ransomware variants is having an impact on the market.
It claimed groups that began operating in 2023 accounted for 25% of data leaks in the period, helping to drive a 50% year-on-year increase in data leaks.
Many of these new players – like Royal, Akira and Blacksuit – can be traced back to Conti, whose code was leaked after an infamous data breach.
The source code for Lockbit and Babuk was also leaked by disgruntled affiliates and subsequently used by other ransomware gangs.
Data leaks aren’t the only thing that leads to older groups cross-pollinating younger ones. Ransomware gangs have staff and they change jobs sometimes and bring their unique skills and knowledge with them.
There’s nothing stopping a cyber-criminal from taking proprietary resources (such as code or tools) from one ransomware operations and using it at another. There’s no honor among thieves.
However, this lack of innovation could be good news for network defenders as it will make incident response and cyber-resilience efforts easier.
Old groups are still very significant in multiple ways. For starters, most groups don’t last that long. Only 6 of the 60 tracked in the analysis were active every month. These groups start, stop, fold, rebrand themselves, etc. Only a few seem to have successful, sustainable operations
If ransomware’s evolution consists of Darwinian variations of the same basic things, organizations can pretty much know what to expect and prepare for the inevitable day when ransomware gangs knock on their digital door.