That said, CL0P’s activity only accounted for around 9% of the data leak posts in 2023, positioning it in third place after BlackCat (ALPHV) with almost 10% and LockBit with 23%. LockBit, a ransomware-as-a-service (RaaS) operation that gathered many affiliates after groups like Conti, Hive and Ragnar Locker shut down, has been the most prolific ransomware group two years in a row.
Ransomware group newcomers and goners
New groups also played a big role in the ransomware activity spike, setting up 25 new leak sites that accounted for 25% of the total number of victim posts. Some of these groups have been active since 2022 but did not have leak sites until 2023. Five had no activity in the second half of the year, so it’s not clear if they are still active or they’ve already disbanded. However, others remain active, and the top ones are Akira and 8Base, each of them with almost 200 posts.
Akira is a group that was first observed in March 2023 and has suspected links to the former leadership of the Conti group based on observed cryptocurrency transactions. 8Base has been active since 2022 but did not disclose any victims until May 2023.
Last year has also been busy for law enforcement in the ransomware space with several actions that have led with prominent groups shutting down or suffering significant disruptions. It started with a US Federal Bureau of Investigation (FBI) operation that dismantled the Hive command-and-control network in January 2023. In October, an Europol-coordinate international action saw the seizure of the Ragnar Locker infrastructure and in December the FBI disrupted the operations of BlackCat (ALPHV) and released a decryption key. The BlackCat group has not disbanded but it’s not clear if it can restore its reputation in the cybercriminal underground.
The Palo Alto Networks researchers also mention the potential rebranding of two other notable groups: Royal which stood out in 2022 with attacks against critical infrastructure targets and which researchers believes has since rebranded into BlackSuit based on code similarities, and Vice Society, a group that attracting attention to itself by targeting healthcare and education organizations and which multiple researchers have linked to the new Rhysida ransomware.
Manufacturing was the industry most targeted by ransomware
The ransomware victim distribution shows that manufacturing was the most impacted sector, accounting for 14% of the data leak posts. This was followed by professional and legal services, high-tech, wholesale and retail, construction, healthcare, financial services and education.
By geographic distribution, almost half of the victims were based in the US, 6.5% in the UK, 4.6% in Canada, 4% Germany, and 3.4% in France. “The US presents a very attractive target, especially when examining the Forbes Global 2000, which ranks the largest companies in the world according to sales, profits, assets and market value,” the researchers said. “In 2023, the US accounted for 610 of these organizations, consisting of almost 31% of the Forbes Global 2000, indicating a high concentration of wealthy targets.”