3 Most Active Ransomware Groups in 2023
The three most active ransomware gangs in 2023 were LockBit 3.0, Alphv, and Cl0p. While these three were the primary contributors to the sharp increase in ransomware attacks in 2023, a significant number of attacks also originated from 8Base, 3AM, Akira, Play, and Rhysida, ransomware groups. In 2023, the ransomware industry witnessed a startling surge, experiencing a 55.5% increase in global victims, totaling an astonishing 4,368 cases. The trajectory showed explosive growth in 2021, a momentary dip in 2022, and yet another surge in 2023. LockBit retained its top position, securing 1047 victims through notable attacks on Boeing, Nagoya Harbor, and the Royal Mail. In contrast, Alphv and Cl0p achieved comparatively less success, with 445 and 384 victims, respectively. In the second quarter of 2023, there were 1386 newly documented ransomware cases, marking a 67% increase in victims compared to the first quarter. Quarter 3 surpassed this figure even further, reaching a total of 1420 cases.
3 New Ransomware Groups in 2024
Each ransomware group exhibits distinct characteristics, and the extent of the threat posed by a particular ransomware operation to legitimate companies can vary significantly. The three new ransomware gangs to look out for in 2024 are Akira, Rhysida, and 3AM.
The Akira Group
Making its debut in March 2023, Akira Ransomware swiftly gained notoriety through its unique 1980s-themed website and substantial ransom demands, ranging from $200,000 to $4 million. The group strategically focuses on various sectors, particularly healthcare, finance, real estate, and manufacturing, boasting over 81 claimed victims to date. Akira stands out for its proficiency in targeting both Windows and Linux systems. Notably, potential connections with the infamous Conti ransomware group have been suggested due to shared elements in their code and cryptocurrency wallets. Akira operates as a ransomware-as-a-service, impacting both Windows and Linux systems. The group utilizes its official data leak site (DLS) to disclose information about victims and provide updates on their activities. While their primary focus is on the United States, they also target the United Kingdom, Australia, and various other countries. Employing a double-extortion strategy, Akira infiltrates and encrypts data, compelling victims to pay two separate ransoms for regaining access and file restoration. In nearly all instances of intrusion, Akira leverages compromised credentials as the initial entry point into the victim’s environment. Notably, a significant number of targeted organizations failed to implement multi-factor authentication (MFA) for their VPNs. Although the exact source of these compromised credentials remains uncertain, there’s a possibility that the threat actors obtained access or credentials from the dark web.
Rhysida Ransomware
Since its establishment in May 2023, Rhysida ransomware has swiftly gained prominence, notably for its bold attacks on governmental entities such as the Chilean Army, healthcare entities such as Prospect Medical Holdings, and high-profile entities such as the British Library and Insomniac Games. Initially, the Rhysida Group emerged as a “Cybersecurity Team,” establishing a victim support chat portal on their website with the intention of targeting their systems and finding out their vulnerabilities.
Operating with a double-extortion approach, Rhysida not only encrypts victims’ files but also pilfers sensitive data, subsequently applying pressure by threatening public data leaks unless ransoms are promptly settled. Speculation suggests that Rhysida may have affiliations or shared members with older malware groups, providing it with a distinct advantage in terms of experience and reach. The heightened risk posed by Rhysida stems from its inclination to target unencrypted organizational data. Upon infiltrating a system, Rhysida quickly restricts access to sensitive files and data. Rhysida distinguishes itself through its inventive ransom demands. Organizations, particularly in North and South America, have encountered a distinctive PDF ransom note, a departure from the usual TXT or HTML formats. While seemingly subtle, this nuance could serve as a precedent for upcoming malware strains to employ similar evasion techniques.
3AM Ransomware
One of the newer ransomware groups is a strain called 3AM. Not much is known about this group and in 2023, it only managed to impact about 20 victims residing in the US. Emerging ransomware families come and go, with many failing to gain substantial traction. Nevertheless, the utilization of 3AM as a fallback by a LockBit affiliate hints at potential interest from attackers, raising the possibility of its resurgence in the future. Notably, 3AM seems to be an entirely novel malware family. Upon infiltrating a system, it consistently follows a specific sequence: first attempting to halt multiple services on the compromised computer before initiating the file encryption process. Following encryption, it endeavors to erase VSS copies.
3AM distinguishes itself from other ransomware through the use of outdated methods. Many cybersecurity analysts speculate that using older scripts and technology may obscure the bad actors from detection by modern security tools. However, employing outdated methods and technology results in vulnerabilities, potential countermeasures, and likely sabotage. The decision by the 3AM ransomware group to utilize an outdated PHP script highlights the unpredictable nature of cybercriminals. This emphasizes the necessity for organizations to stay vigilant and embrace a comprehensive security approach, acknowledging that threats can arise from both modern and antiquated technologies.