Despite the police dismantling some of the biggest and most dangerous ransomware threats out there, ransomware as a criminal industry continues to flourish.
A new report from cybersecurity researchers from Palo Alto Networks’ Unit 42, which found a 49% increase in victims reported on ransomware leak sites.
In total, there were 3,998 new entries, posted by various groups, across the dark web.
Short expiration date on ransomware groups
Unit 42 attributed this surge to high-profile vulnerabilities like SQL injection, which were used on products like MOVEit and GoAnywhere. Those with good memory will remember that Cl0p, for example, abused a zero-day vulnerability in the MOVEit managed file transfer solution to exfiltrate sensitive data on more than 2,000 organizations. Before that, the GoAnywhere fiasco saw firms like Procted & Gamble, or Hitachi, lose sensitive files.
LockBit, ALPHV, and others, all tried to find zero-day flaws to abuse and either install encryptors, or just exfiltrate data and demand ransom.
As the number of victims grows, at the same time the number of ransomware operators is shrinking. Hive and Ragnar Locker are no more, and so are Ransomed.Vc and Trigona. ALPHV was almost completely dismantled but managed to return, possibly rebranded.
Furthermore, leak site data revealed the emergence of 25 new ransomware groups in 2023, which the researchers hint shows continued appeal in ransomware as a profitable criminal activity. However, many of these new groups did not last, disappearing in the second half of the year.
As expected, ransomware operators weren’t really picky when it comes to the target industry, but manufacturing still remained the most affected vertical out there. Most victims – 47% – are located in the United States. LockBit remained the most active group in 2023, followed by ALPHV (AKA BlackCat) and Cl0p.
More from TechRadar Pro