Fresh Ransomware Gangs Emerge as Market Leaders Decline

There was a rise in the number of ransomware victims in May compared to the previous month, although LockBit, the leading ransomware group, saw a 30% decrease in observed victims (110 to 77) from April to May.

Ransomware heavyweight AlphV also experienced a decline in posted victims, with 38 observed victims in May compared to 51 in April.

That drying up was offset by several new branded groups entering the scene, contributing to an overall increase in observed ransomware victims, according to GuidePoint Security's latest GRIT report.

The May GRIT report highlighted a diverse slate of active threat groups, with 28 observed groups claiming victims. There was a 13.57% increase in publicly posted ransomware victims from April to May, and 410 incidents total, led by victims in the United States — far and away the most targeted country.

The report noted that the fledgling Akira ransomware group has gained particular prominence just since April (the name a potential nod to the 1988 Japanese anime cult classic in which a biker is turned into a rampaging psychopath). The gang is primarily known for a unique data-leak site designed as an interactive command prompt using jQuery.

Educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims. The group follows the "double extortion" approach: stealing data from victims and threatening to leak it if the ransom is not paid.

While there isn't enough data to make a definitive hypothesis, GuidePoint Security threat intelligence consultant Nic Finn notes he has observed some of the new groups significantly lowering their initial ransomware demand.

"If this trend continues, it could indicate that ransomware groups are attempting to shorten the time between victimization and ransomware payment," he says.

Overall, though, the GRIT findings echoed the 2023 Verizon Data Breach Investigations Report in noting escalating ransomware costs.

Emergence of New Ransomware Groups

GRIT has also identified other fresh-faced ransomware groups on the scene, such as 8Base, Malas, Rancoz, and BlackSuit, each with its own distinct characteristics and targets.

8Base, which claimed 67 victims in the past year, has primarily targeted the banking and finance industry and is focused primarily on the US and Brazil, while the extortion group Malas was observed performing mass exploitation of business email and collaboration software Zimbra.

There is little known about Rancoz, which has posted just two victims so far — one in the tech sector and one in manufacturing — while BlackSuit was flagged for the maturity of its operations despite only one observed victim.

These emerging threat groups have deployed a combination of established and innovative tactics, aiming to blend in and profit amid the crowded ransomware landscape, explains Finn.

He notes one method that's been observed lately is a shift toward single extortion, focused around exfiltrated data — no encryption necessary.

"This is much more sustainable for ransomware groups because it involves less troubleshooting with victims when the decryptors fail," he says.

Finn explains the recent behavior of ransomware groups suggests they are following whatever tactics they believe to be more novel and successful.

"The trend back toward single extortion through the threat of data publication could be the result of perceived success by other groups, or it could be a determination they are making based on their interactions with victims," he says.

For example, if a good portion of their victims are asking to lower the ransom demand in exchange for just proof of deletion and guarantees not to attack them again, this may lead ransomware groups to assume that a good portion of their victims have backups in place, making it the effort of encrypting a victim network seem superfluous.

"Organizations following data backup best practices should remain diligent about developing detections and monitoring activity for any potential data exfiltration efforts, as this single extortion trend will definitely continue and likely grow throughout 2023," Finn says.

Education Sector in the Sights

As evidenced by Akira and older groups like Vice Society, ransomware groups are increasingly targeting educational institutions, from daycare centers to major universities. In total, ransomware groups posted 35 unique victims in the education industry in May.

"A recent influx in vulnerabilities affecting software commonly used in schools, such as the PaperCut MF/NG vulnerability," the report noted.

"It seems like the education sector is seeing heavy targeting because there is so much personally identifiable (PII) and sensitive student data available in the resulting data," Finn says. "Additionally, the number of individuals impacted is exponential to the size of the victim organization."

For example, a school system with just a thousand or so active students could still house records and data on thousands more former students, plus information relating to parents of the students who have data at risk.

"Another big factor is media attention," he adds. "Ransomware actors follow the trends that get them media coverage. The cyberattack against the LA Unified School District brought about a lot of media attention, so it's likely that more groups are matching that trend to replicate the coverage."

MOVEit and Mass Exploitation

Another factor in the recent growth of successful ransomware attacks is the phenomenon of ransomware groups are exploiting zero-day vulnerabilities en masse, the report noted, conducting exfiltration, and expecting victims to reach out to them to coordinate for ransoms.

The ongoing Cl0p attacks exploiting the MOVEit vulnerability against hundreds of organizations are emblematic of the trend, which is also seen with the DeadBolt ransomware variant and another recently exploited by a threat actor to deploy Nokoyawa ransomware.

"It appears that Cl0p has a team of highly technical hackers working on mass exploitation, especially of file transfer software," Finn adds.

Recent reporting indicates that the group began working on the MOVEit exploitation as far back as 2021, and even delayed the mass exploitation of the vulnerability until it completed a different mass exploitation campaign against the GoAnywhere MFT service earlier this year.

"This indicates a significant strategic planning capability, even down to the decision to begin exploitation of this MOVEit vulnerability over the Memorial Day weekend, when less staff is available to respond right away," he says.

While there has been a noted slowdown in ransomware activity over the summer for the past two years, which Finn adds may still occur this year, there's also "a good chance" that other ransomware groups attempt to mimic the behavior of groups like Cl0p and attempt mass exploitation, which could offset declines in activity elsewhere.