Emerging ransomware groups on the rise: Who they are, how they operate

The shutdown of BlackCat (ALPHV) in March and the law enforcement disruption of LockBit infrastructure in February have created a void in the ransomware ecosystem that’s quickly being filled by less experienced groups.

So far this year, researchers from security firm Cyberint have seen 25 new ransomware groups post at least one victim on their data leak sites. Other established but previously smaller gangs have also increased their operational tempos in recent months, now occupying the top spots in monthly victim counts.

“While we continue to track the ransomware landscape to determine long-term changes, we anticipate formerly ‘mid-tier’ Developing and Established ransomware groups to become increasingly visible, either due to the attrition of more prolific competitors or due to shifting affiliate alignment,” researchers from security firm GuidePoint Security wrote in a recent report that notes the same trend.

Play rises to the top

Last month, a ransomware group called Play took the lead from LockBit, which replaced Conti as the top ransomware-as-a-service (RaaS) operation in 2023. Even though Play is not a newcomer to the ransomware scene, being around since 2022, it has now taken advantage of the demise of its bigger peers, possibly attracting some of their affiliates.

RaaS operators primarily rely on third parties known as affiliates to gain access to corporate networks, perform lateral movement, steal sensitive information, and deploy their file-encrypting malware. These cybercriminals choose to work for the program they trust most and that pays them the largest percentage of any ransom paid.

When ALPHV announced in March that they were shutting down their operations, one of its former affiliates came forward to accuse them of running away with the $22 million allegedly paid following the attack on Change Healthcare. When LockBit had its servers seized by law enforcement in February, the group’s main administrator came out and said that the operation won’t be shutting down.

But incidents such as these quickly lead to a loss of trust in the cybercriminal world and partners will quickly move on to the next program. This effect has been visible in LockBit’s recent activity. According to GuidePoint’s statistics, LockBit still accounted for 60% of ransomware incidents in March, but its market share dropped to 30% in April.

Meanwhile, groups like Hunters International, 8Base, RansomHub, and other previously smaller and emerging groups saw jumps in activity. Play’s victim count actually decreased from March to April, but ended up in the top position due to LockBit’s major decline. But the group has been on an upwards trend since the beginning of the year, according to statistics from NCC Group.

8Base is a ransomware group that like Play has been around since 2022, but Hunters International is relatively new, first making an appearance last October and bearing a lot of similarities to Hive, a ransomware group that shut down in early 2023 after law enforcement from several countries managed to seize its servers. RansomHub is even newer, emerging for the first time in February this year and quickly climbing through the ranks.

“We have observed threats by RansomHub to sell exfiltrated data on their branded data leak site (DLS) and instances where the group claims that data has been sold — a notable distinction from the more typical practice of posting such data openly,” the GuidePoint researchers wrote. “Possibilities for this distinct approach include the difficulty and cost of hosting stolen data, the group’s belief that data sales are more valuable than open posting, and the inherent pressure such activity places on the victimized organization to settle with the group.”

Moreover, the affiliate that hacked Change Healthcare and accused ALPHV of running with the ransom money is now a RansomHub affiliate. The reason for this switch might be RansomHub’s generous 90% affiliate commission on victim payments and the possibility for affiliates to receive ransom payments directly instead of going through a RansomHub administrator, the researchers note.

More newcomers

There are some other new groups that stand out through their tooling or growth. One of them is called Muliaka and primarily targets Russian organizations — an unusual targeting choice in the ransomware ecosystem. This group appears to be using a version of the Conti file encryption malware that was leaked online in 2020 and deployed it by hijacking a feature in an antivirus program used by the targeted organizations.

“We highlight this case as most contemporary RaaS groups operate under rules that prohibit the targeting of organizations headquartered in Russia and multiple former states of the former Soviet Union,” the GuidePoint researchers wrote. “These rules presumably exist to avoid attracting the attention of local security services.”

Meanwhile, researchers from Cyberint chose to highlight three other new groups in its report: dAn0n, APT73 and DragonForce, while mentioning a two dozen others that have posted victims this year.

The dAn0n group appeared at the end of April and already posted 12 victims on their data leak site, 10 of which are based in the US. Meanwhile APT73 is another new group that chose to use the APT (advanced persistent threat) designation that is usually assigned by security companies to sophisticated cyberespionage threat actors, despite this group displaying a level of amateurism. APT73’s data leak site is a copy of the data leak site previously used by LockBit and so far lists five victims.

DragonForce is a bit older, first making an appearance in December 2023. The group seems to be using a version of the leaked LockBit ransomware builder and so far has targeted organizations from the manufacturing, technology, healthcare, finance, construction, and real estate sectors from the US, the UK, Australia, Argentina, and Switzerland.

“Looking ahead, the emergence of new ransomware groups in 2024, as evidenced by the proliferation of 25 new groups by the second quarter, suggests a sustained and evolving threat landscape,” the Cyberint researchers wrote.

The good news is that many of these new groups tend to be less sophisticated than the major ones they’re trying to replace, at least for now. Their malware, techniques, and tools are not as well developed and could be more easily detected, but if experienced affiliates join their ranks attracted by better deals, this will rapidly change.