Research of Searchlight Cyber has shown that the number of ransomware groups active in the first half of 2024 increased to 73, up from 46 in the same period in 2023. The findings suggest that law enforcement efforts to contain cybercriminal groups have had some success, particularly in disrupting the activities of the notorious BlackCat group, which has now been disbanded.
Groups were targeted by law enforcement during ‘Operation Cronos’, which saw two individuals arrested, 28 servers shut down, 1,000 decryption keys obtained, and 200 crypto accounts frozen. These accounts were all linked to the notorious LockBit organization.
While the number of groups has increased, the number of victims has decreased, indicating a potential diversification rather than growth of ransomware groups. Other Ransomware as a Service (RaaS) groups such as RansomHub and BlackBasta have become more active, complicating the cybersecurity landscape.
Ongoing threats
Disruptions to cybercriminal activity should not be confused with the shutdown of operations. New organizations such as DarkVault and APT73 are expected to become more productive in the near future.
Searchlight Cyber’s Head of Threat Intelligence, Luke Donovan, comments: “As we’ve seen in the first half of 2024, the ransomware landscape is not only expanding, it’s also fragmenting. With over 70 active ransomware groups now operating, the ransomware landscape is becoming increasingly complex for cybersecurity professionals to navigate.”
He adds: “The diversification we are seeing means that smaller, lesser-known groups can emerge quickly and carry out highly targeted attacks.”
Recently, groups like Qilin have caused a stir serious damage to NHS hospitals, impacting surgeries and transplants. The risks posed by these threat actors are illustrated by their willingness to attack high-impact targets to extract as much ransom as possible.