Highlights:

  • The top five ransomware groups, 8Base, Clop, ALPHV/BlackCat, LockBit, and Play, collectively contributed over 50% of the total data leaks.
  • Approximately 25% of the data leaks examined originated from ransomware groups that initiated operations in 2023.

Recently, WithSecure Oyj, a cybersecurity firm, released a report cautioning about the rise of fresh multipoint extortion ransomware groups in the initial three quarters of 2023.

Multipoint ransomware groups, also known as double-tap or double-extortion groups, employ various tactics to compel victims to pay a ransom to restore their data control. While a conventional ransomware group typically encrypts data and demands payment for a decryption key, more recent groups opt to pilfer data and issue threats to publish it unless a payment is rendered.

WithSecure examined the data leaked on websites managed by ransomware operators and identified a significant influx of new groups entering this domain throughout 2023. Among the 60 multipoint extortion ransomware gangs monitored by WithSecure in the initial nine months of 2023, 29 are newly identified.

The newly identified groups are reported to largely adopt playbooks established by existing operators, playing a pivotal role in maintaining the volume of ransomware attacks confronting organizations.

Ziggy Davies, a threat intelligence analyst at WithSecure, explained, “Code and other aspects of one particular cybercrime operation end up getting used elsewhere because groups and their members often recycle the same resources when they change who they work for or with. Many of the new groups we’ve seen this year have clear lineage in older ransomware operations. For example, Akira and several other groups share many similarities with the now-defunct Conti group and are likely former Conti affiliates.”

The report also revealed additional insights into multipoint extortion ransomware attacks in 2023. Notably, during the first three quarters of the year, there was a 50% surge in data leaks from ransomware groups compared to the corresponding period in the previous year.

As expected, the notorious LockBit ransomware took the lead in contributing to the majority of the leaks, comprising 21% of the total, aligning with a comparable discovery made by NCC Group plc in August. The top five ransomware groups, 8Base, Clop, ALPHV/BlackCat, LockBit, and Play, collectively contributed over 50% of the total data leaks.

Approximately 25% of the data leaks examined originated from ransomware groups that initiated operations in 2023. Additionally, only six out of the 60 groups have reported victims consistently every month from the beginning of the year up to the present date.

The report observes an increased interest in ransomware among cybercriminals; however, the fact that these groups often reuse each other’s strategies offers defenders certain advantages.

Davies also commented, “Ransomware remains an effective moneymaker for cyber criminals, so they’ll mostly stick to the same basic playbook rather than come up anything really new or unexpected. This makes them pretty predictable, which is good for defenders because they know what they’re up against.”