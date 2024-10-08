The brutal dismantling of the LockBit ransomware crew and the humiliation of its key players has been one of the most talked about cyber security success stories of the past 12 months, but looking at the raw data, it doesn’t seem to have done much to dissuade cyber criminals.

This is according to Secureworks’ annual 2024 State of the Threat Report, which today draws back the curtain to reveal a 30% year-on-year rise in active ransomware groups using name-and-shame leak sites, with 31 new actors entering the ecosystem in the period from June 2023 to July 2024.

Given the LockBit takedown took place in February it may not be much of a surprise to learn that the gang accounted for 17% of ransomware listings for the period in scope, although this was down 8% year-on-year given the disruption caused by the UK’s National Crime Agency (NCA), which led the Operation Cronos assault.

Also falling away during the past year was BlackCat/ALPHV, which suffered a similar drubbing at the hands of law enforcement prior to pulling its own product in a possible exit scam, while Clop/Cl0p, which capitalised on the MOVEit file transfer compromise in 2023 to hit hundreds of victims, has also not been as active lately.

Meanwhile, the second most active ransomware gang, Play, doubled its victim count year-on-year, while RansomHub, a new group that emerged shortly after LockBit’s takedown, has in the space of just a few months become the third most active group on the scene, with a 7% share of listed victims. Qilin, as well, has been making its mark, notably in its high-profile attack on NHS partner Synnovis.

“Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime. Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration,” said Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit (CTU).

“As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders,” said Smith.