PORTSMOUTH, ENGLAND & WASHINGTON (BUSINESS WIRE) – Searchlight Cyber, the dark web intelligence company, has released its latest report on the ransomware landscape of the dark web. More Groups, More Problems: Ransomware in 2023 covers the most prolific ransomware groups on the dark web last year, changing ransomware tactics based on dark web activity, and the operations security teams should watch out for in 2024. The threat intelligence comes from Searchlight Cyber’s Ransomware Search and Insights module, which collates data from the dark web leak sites of more than 50 ransomware groups.
LockBit, BlackCat (also known as ALPHV or Noberus), and Cl0p were the most prolific ransomware groups of 2023 by the number of victims claimed on their dark web leak sites. However, a major finding of the report is that their share of the overall ransomware victims actually decreased as the number of operators have grown. For example, LockBit’s victims accounted for a third of the total posted on the dark web in the last three months of 2022 but its share only accounts for 17 percent in the last three months of 2023. Its output hasn’t decreased, having in fact doubled its total victim count from last year, but the ransomware world has got bigger.
Other key findings from the report include:
- LockBit’s continued dominance: LockBit is the most active ransomware group for the second year in a row, increasing its victim count and developing new attack techniques.
- Emergence of new and dangerous players in 2023: New ransomware entities like 8Base, Akira, and Rhysida emerged and quickly racked up a high victim count last year, making them groups to watch in 2024.
- Tactical shifts in operations: Some ransomware actors are moving away from encryption-based attacks to direct data theft and extortion.
- Geographic and industry focus: The United States, along with industries such as commercial services, capital goods, and healthcare, face the highest risk of ransomware attacks.
- Ransomware group dynamics: The dissolution and rebranding of groups like Conti, and the use of leaked ransomware source code by emerging groups exemplifies the fluid nature of ransomware operations.
- Groups that have dissolved: the report looks at three groups that ceased operation of their dark web sites in 2023 but may continue in other guises.
Jim Simpson, Director of Threat Intelligence at Searchlight Cyber, said: “Our dark web intelligence shows that the ransomware landscape is becoming larger and more diverse. Small, specialized groups are emerging at pace while the large, established ransomware operations have also increased their output – creating a more active landscape than this time 12 months ago. The expansion of the ransomware ecosystem means that organizations need the most up-to-date information on the specific ransomware threats facing their industry and their peers. Ransomware groups use the dark web to share their tactics, buy their initial access, and recruit affiliates – security teams concerned about ransomware have to monitor this activity to understand and prepare for the latest threats.”
About Searchlight Cyber
Searchlight Cyber provides organizations with relevant and actionable dark web intelligence, to help them identify and prevent criminal activity. Founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. Today we help government and law enforcement, enterprises, and managed security services providers around the world to illuminate deep and dark web threats and prevent attacks. To find out more visit slcyber.io or follow Searchlight Cyber on LinkedIn and Twitter.