Light Dark
November 18, 2024 By Josh Nadeau 4 min read
News

Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.

Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.

Summarizing Searchlight Cyber’s recent dark web intelligence report

Searchlight Cyber is a dark web intelligence company that provides monitoring tools and platforms used by law enforcement agencies, business enterprises and MSSPs to help identify, track and prevent ongoing cyber threats.

The company recently released a mid-year report titled “Ransomware in H1 2024: Trends from the Dark Web” that shined some more light on the current state of ransomware, specifically focusing on the activity of the most prolific ransomware groups.

In this report, statistics gathered by Searchlight Cyber show that 73 active ransomware groups are currently being tracked mid-2024 on the dark web compared to 46 groups last year — representing a 56% increase.

Some other key takeaways of the report included:

  • Identifying the top five most active ransomware groups tracked on the dark web, ranked by number of claimed ransomware victims:
    • LockBit (434 victims)
    • Play, also known as Playcrypt (178 victims)
    • RansomHub (171 victims)
    • Black Basta (130 victims)
    • 8Base (124 victims)
  • New larger ransomware groups that have emerged and are beginning to scale their operations, including:
    • DarkVault: discovered in February 2024
    • ATP73: discovered in April 2024
    • Quilong: discovered in April 2024
  • All ransomware groups with the highest victim counts operate using Ransomware-as-a-Service (RaaS) models. In these models, ransomware groups will lease out their ransomware toolkits to “affiliates,” who then pay a percentage split of profits after completing a successful attack.
Read the IBM X-Force Threat Intelligence Index

Data pulled from dark web leak sites

Luke Donovan, Searchlight Cyber’s Head of Threat Intelligence, was recently interviewed to gather an additional perspective on the findings of this report. Commenting on Searchlight Cyber’s metrics reporting, Donovan clarifies:

“Our ransomware victim numbers are largely determined by the organizations that ransomware groups list on their dark web leak sites… There are some limitations with these figures, as ransomware groups may have attacked many other organizations but decided not to list the victim publicly.

“On the flip side, there is always the possibility that ransomware groups are listing organizations that they haven’t actually attacked to boost their reputation. However, these figures broadly give a good indication of the most active ransomware groups operating on the dark web.”

What is driving the increased use of RaaS models?

RaaS models have been in use for several years now. However, as more ransomware groups come to the surface and RaaS solutions become more readily available, the dangers associated are only expected to grow.

When asked about why the RaaS model has become so successful in recent years, Donovan commented, “The success of the RaaS model really lies in its ability to scale. If the operator of the ransomware is also the same individual undertaking the attacks, there is a natural limit in how many victims they can claim at any given time. Outsourcing the attack itself to a number of ‘affiliates’ — of which, some of the biggest gangs have dozens — allows ransomware gangs to vastly increase the quantity of organizations they can hold to ransom.”

How is legal accountability balanced between RaaS operators and their affiliates?

At first glance, it may seem that some RaaS operators are looking for a certain level of insulation from legal ramifications by passing accountability over to affiliates who are responsible for carrying out the attacks. However, many countries have laws in place that hold both RaaS operators and their affiliates equally responsible for the organization and execution of cyberattacks.

“The popularity of the RaaS model is more about profitability than shifting legal accountability. If anything, running a RaaS operation increases the risk for the ransomware creators, as these gangs typically have more victims, which makes them a bigger target for law enforcement,” states Donovan.

Considering the implications of providing RaaS toolkits to untrained or undisciplined affiliates, the continued use of this model is surprising since it can create unwanted attention for the gangs themselves. This became evident in the National Crime Agency’s (NCA) recent disruption to LockBit’s operations in February 2024.

Still, the financial gains from expanding criminal activities on a mass scale are risks many ransomware groups have already proven they’re willing to take.

What security implications does the rise of ransomware groups have on businesses?

As recently mentioned, there have already been previous reports that ransomware victim numbers have declined in recent years. So, should the rise of ransomware groups be something businesses should worry about? Yes and no.

The recent disruptions in large RaaS gangs like LockBit and BlackCat have definitely contributed to the recent decrease in ransomware attacks. Another potential factor can be attributed to the general lack of skills shortage in cyber-related fields that impact both cybersecurity and cyber crime groups. However, this doesn’t mean that a resurgence of ransomware attacks isn’t on the horizon.

“What we observe right now is a more fragmented ransomware ecosystem… When large RaaS groups are disrupted, we typically see a number of smaller copycat groups emerging,” states Donovan.

As Searchlight Cyber’s report highlights, many new ransomware groups are using highly sophisticated attack methods and are increasingly motivated to own a lion’s share of the RaaS market. This is a dangerous combination, which means businesses should stay vigilant while continuously evaluating their defensive strategies to minimize their ransomware exposure.

 |  |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

December 30, 2024

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

December 26, 2024

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature