At least 25 new ransomware gangs emerged in 2023, with Akira and 8Base proving the most "successful," research reveals.

The gangs were the two "success" stories of the year for cybercrooks, proving that the lure of big ransom payouts is still enough to attract significant interest from fledgling ransomware operations, despite the challenges that remain for newcomers.

For one thing, there's more and more attention from law enforcement agencies, which shut down numerous operations last year, for example, and this threatens to be a serious deterrent for this year's shenanigans. 

The high degree of competition between gangs was also listed as another reason for some groups dropping off the scene, according to researchers at Unit 42 by Palo Alto Networks. Cybercriminals must offer competitive payouts to affiliates while also offering a ransomware payload that's effective enough to attract capable criminals to their program and away from powerful competitors like LockBit and ALPHV/BlackCat.

Get your hankies ready - some gangs didn't make it...

The difficulties facing ransomware groups may explain why so many failed to survive last year. Five of the 25 newcomers didn't make it to see their first birthday, failing to register a single attack in the final six months of the year.

"A lack of leak site posts does not necessarily mean these groups have ceased operations. Criminals from these groups could have moved to other types of operations, retreated from public view, or merged with other ransomware groups," blogged Doel Santos, principal threat researcher at Unit 42.

"If some of these groups did not last the entire year, new threat actors can fill the void. The second half of 2023 revealed posts from 12 new leak sites, indicating these groups might have started later in the year."

Of the 25 new gangs identified by Unit 42, at least 12 of them are connected to pre-existing groups either as offshoots or as suspected rebrands of operations that closed down.

The full list of the new gangs from 2023 is below, including details about whether they are still active and where relevant, what other gang they're supposedly connected to.

• 8Base (linked to Phobos)

• Abyss

• Akira (linked to Conti)

• BlackSuit (linked to Conti)

• Cactus

• CiphBit

• Cloak (linked to ARCrypter)

• (Inactive) CrossLock

• (Inactive) CryptNet (linked to Chaos)

• Cyclops

• (Inactive) DarkRace (linked to LockBit)

• Hunters International

• INC

• Knight (Cyclops)

• LostTrust (MetaEncryptor)

• NoEscape (linked to Avaddon)

• Meow

• Money Message

• RA Group (linked to Babuk)

• (Inactive) Rancoz

• (Inactive) Ransomed.vc

• Rhysida (linked to Vice Society)

• ThreeAM

• Trigona (linked to Crylock)

• U-Bomb

The 25 new ransomware operations accounted for roughly a quarter of all publicly claimed ransomware incidents in 2023. 

We say "publicly claimed" because the number of actual ransomware attacks is likely to be much higher, but due to poor disclosure or paying ransoms early, we'll never get to learn about them.

Out of all the newcomers, Akira is thought to be the fastest-growing of the bunch and has so far claimed a number of major attacks, such as cosmetics giant Lush in just the past few weeks.

According to BlackFog's analysis [PDF] of January 2024's ransomware incidents, Akira laid claim to roughly 12 percent of them, making it the second-most active group of the year so far. It's hardly unsurprising if Conti is indeed behind the operation - Conti at the height of its powers was the most feared group of its time… before it imploded, of course.

That said, Wizard Spider, the heavily sanctioned gang behind Ryuk, Conti, Trickbot, and others remains (mostly) at large thanks to Russia's blind-eye approach to cybercriminals' behavior, as long as all the nastiness is directed to the West.

8Base is a group that was technically established in 2022, Santos said, but given that its leak blog didn't go live until May 2023, it's being lumped together with last year's newbies.

It started the year strongly, consistently registering more attacks than Akira, and although the latter eventually overtook 8Base by the end of the year, Unit 42's figures showed very little difference in the final numbers, suggesting it was just as effective as Akira. 

The two gangs were the standout "performers" of the 25 new operations last year and, while it wasn't included in Unit42's list, the Russian-language WereWolves group which rapidly rose to prominence towards the very end of the year looks as though it will continue to make a mark this year.

All groups will also be looking to sweep up the market share left behind by the groups that fell last year, in large part due to the work of international law enforcement agencies.

Hive, Ragnar Locker, Ransomed.vc, and Trigona were all shuttered by law enforcement last year, and authorities nearly got hold of ALPHV too but the group managed to wrestle back control during a multi-day struggle with the FBI.

The takedowns were celebrated at the time but as industry pros wound down for their Christmas holidays, the debate around ransomware payments heated up and ultimately watered down the significance of the authorities' efforts.

With no ban on ransom payments, takedowns of gangs will likely do very little. That was the consensus of many, although there is certainly a case to be made against it. ®

https://www.theregister.com//2024/02/06/akira_and_8base_new_ransomware_research/