The ransomware ecosystem is experiencing a significant shift, with a notable splintering into numerous smaller groups following successful law enforcement takedowns of large operations like LockBit and BlackCat/AlphV. While these actions have successfully disrupted the infrastructure of major gangs, they have struggled to secure arrests, allowing threat actors to simply rebrand and form new entities. This proliferation is evident in the data, with one company tracking 41 new ransomware groups in a single year and more than 60 total gangs now operating simultaneously. This growth has contributed to an overall increase in ransomware attacks and suggests that the barrier to entry has lowered, possibly due to a mix of domain experience, commoditized malware, and the availability of AI.
A key driver behind this fragmentation is the rise of ransomware-as-a-service (RaaS) rebrands. Many of the new groups are not entirely new but rather defunct operations that have simply spun up under a different name. Cybersecurity firms have found that some of these emerging groups are using leaked source code from their predecessors. For example, the top group SafePay has been found to share code with LockBit, and the fingerprints of other notable groups like Conti are apparent in the codebases of other new gangs. This ability to reuse existing, proven code makes it much easier and quicker for former affiliates to launch their own operations without having to start from scratch.
The risks associated with operating a large, visible RaaS group have also contributed to the fragmentation. The successes of international efforts, such as the Ransomware Task Force, have made it incredibly dangerous for major operations to maintain a low bar for accepting affiliates due to the increased risk of law enforcement infiltration. This leaves affiliates with a stark choice: either try to join one of the few remaining closed groups or strike out on their own. With plenty of leaked ransomware code available, and easy access to other necessary tools like initial access brokers and open-source software, starting a new, smaller operation is a viable and increasingly attractive alternative.
This splintering is clearly reflected in the statistics. MalwareBytes reported that the top 10 most active groups now account for only about half of all ransomware attacks, a significant drop from 69% in 2022. This demonstrates that hackers are no longer reliant on joining a large, established RaaS operation to successfully conduct attacks. The ransomware ecosystem has always been volatile, with dominant groups often rising and falling annually, but this recent shift highlights a move towards a more decentralized and agile criminal landscape. The rapid rise and fall of a group like RansomHub, which emerged to lead the pack after LockBit’s demise but went silent less than a year later, exemplifies the rapid churn at the top of this fractured ecosystem.
Reference: