But incidents like these quickly lead to a loss of trust in the cybercrime world and our partners will quickly move on to the next program. This effect was seen in the recent work of LockBit. According to GuidePoint statistics, LockBit still accounted for 60% of ransomware incidents in March, but its market share dropped to 30% in April.
Meanwhile, groups like Hunters International, 8Base, RansomHub, and other smaller and emerging front groups have seen activity jump. The number of Play victims actually decreased from March to April, but it ended up at the top because of LockBit’s big drop. But the group has been on the rise since the beginning of the year, according to NCC Group figures.
8Base is a ransomware group similar to Play since 2022, but Hunters International is relatively new, it first appeared last October and has many similarities with Hive, a ransomware group that was shut down in early 2023 after law enforcement for a few. countries were able to host their servers. RansomHub is even newer, appearing for the first time in February this year and quickly rising through the ranks.
“We have seen RansomHub’s threats to sell classified data from their data leak site (DLS) and cases where the group claims the data has been sold – a marked difference from the usual practice of openly posting such data,” GuidePoint researchers. he wrote. “Opportunities for this alternative approach include the difficulty and cost of handling stolen data, the group’s belief that the sale of data is more important than open submissions, and the inherent pressure it places on the victimized organization to settle with the group.”
In addition, the agent who hacked Change Healthcare and accused ALPHV of working with ransom money is now a RansomHub agent. The reason for this change may be RansomHub’s generous 90% commission on victim payments and the possibility for affiliates to receive ransom payments directly instead of going through RansomHub’s administrator, the researchers noted.
Many newcomers
There are other new groups that stand out through their use of tools or growth. One of them is called Muliaka and it mainly targets Russian organizations – an unusual choice of target in the ransomware ecosystem. The group appears to be using a version of the Conti file encryption malware that was leaked online in 2020 and was used to hijack a feature of the antivirus used by the target organizations.
Source link