Ransomware Landscape Update: More Groups, More Victims

Aidan Murphy: Hello, and welcome to The Dark Dive, the podcast that delves into the depths of the dark web and cyber security. My name is Aidan Murphy, and I’m your host, and in this episode, we’re returning to the topic of ransomware groups, cyber criminal gangs that specialize in encrypting systems or data and refusing to release it until companies pay up. The ransomware landscape is anything...

Aidan Murphy: Hello, and welcome to The Dark Dive, the podcast that delves into the depths of the dark web and cyber security. My name is Aidan Murphy, and I’m your host, and in this episode, we’re returning to the topic of ransomware groups, cyber criminal gangs that specialize in encrypting systems or data and refusing to release it until companies pay up. The ransomware landscape is anything but static, so we like to check in regularly to see what has changed. And, in Searchlight Cyber’s most recent report, our threat intelligence team has extracted some interesting trends that provide us with plenty to talk about over the next half an hour or so. Stay tuned to find out who the top ransomware groups were in the first half of this year, how the number of ransomware victims compares to previous levels, and trends in the tactics ransomware groups are using to attack their victims and extort them. Joining me to discuss these findings is Luke Donovan, head of threat intelligence at Searchlight Cyber. Welcome back to the podcast, Luke. 

(TC: 00:00:59) 

Luke Donovan: Hi, Aidan. Thank you very much for having me back. 

(TC: 00:01:01) 

Aidan Murphy: And, just before we jump into it, I will say that the report we’re discussing, which is called, ‘an Escalation In Attacks, The Ransomware Landscape In H1 2025,’ is available to download, and you can find it in the show notes. You don’t need to have read the report to enjoy this episode. We’re going to talk through the findings from the beginning, so you can listen along. But, if you leave the episode hungry for a more in-depth exploration of some of the themes we’re going to discuss here, that’s the place to find it. So, Luke, to kick off, can you quickly explain to the listener where the data we’re about to discuss comes from? 

(TC: 00:01:34) 

Luke Donovan: When it comes to ransomware data, it comes from a wide variety of different data sources. This ranges from dark web extortion sites, so those sites which are run by the ransomware groups themselves, all the way to looking at forums where ransomware operators post messages, individuals engage in activity with them. Wide variety of sources. 

(TC: 00:01:57) 

Aidan Murphy: I guess the only caveat I want to give listeners here, and you might have your own caveats, Luke, so feel free to jump in, is that, because a lot of this data is based on what ransomware groups themselves post, there is obviously a slightly unreliable narrator element of this. So, they may list victims that aren’t really victims, or, very likely, there are victims that they don’t list because they’re in active negotiations with them, or they’ve gone through secret communications to extort them, and they haven’t felt the need to list them publicly. So, when we talk about victim numbers, it’s probably just worth keeping a note that this is a very good indication of activity, but probably undersells the vast amount of ransomware victims there are. Is there anything else you’d add to that, Luke, or is that-, that pretty much sums it up? 

(TC: 00:02:40) 

Luke Donovan: No, I think that’s a great summary of the situation here, Aidan. This is open-source information, where we’ve gathered the information from, so there will be ongoing negotiations where the threat actors and the ransomware groups would not have posted the victims. So, the number of victims which we mention during this podcast is likely to be much higher than the stats which we give out on here. 

(TC: 00:03:02) 

Aidan Murphy: So, with all the caveats in place, we’re going to go talk through some trends. So, anyone who’s had the misfortune of working with me will know that one of my biggest pet peeves is when people say the ransomware landscape or cyber security landscape is getting worse, and then don’t back up that claim, just say it’s bad, and just leave it there. But, careful listeners might have gleaned from the title of this report, in this case, we can effectively back this up, this is what our report shows. Is that right, Luke, would you say? 

(TC: 00:03:30) 

Luke Donovan: Yes, yes, definitely. When you look at the ransomware landscape as a whole, and we compare it over the last couple of years, it is definitely getting worse, looking at the statistics here. So, for example, in the first half of this year, first half of 2025, there were 3,734 ransomware victims which were listed. That’s a 20% increase on the second half of 2024, and a 67% on the same period of time in 2024, so the first half of 2024. So, through all those half-year periods, we have seen a dramatic increase in the number of victims being posted onto these extortion sites. There are a few caveats there. Some of those ransomware groups who have posted victims, they tend to post a group of victims in one go, rather than a few victims every single day, and that’s due to the way they gain access to their victims. 

(TC: 00:04:33) 

Aidan Murphy: That might be slightly skewing the data, in that you’re going to have a big cluster of activity in some weeks, or some months, but then, it might not necessarily reflect the whole reporting period, the whole six months? Is that what you’re saying? 

(TC: 00:04:47) 

Luke Donovan: Yes, that’s absolutely right. When we start looking at the ransomware groups, in terms of those who post the most victims, there is one particular group where that’s very much the case. 

(TC: 00:04:58) 

Aidan Murphy: Okay. But, as you say, the general trend seems to be that-, well, it is that there are more listed ransomware victims at the first half of this year than there have been over the previous half-year periods. So, by number of victims, at least, the landscape seems to be getting worse. What is your sense, Luke, of the drivers behind this change? Why are there more victims now than there have been in the years gone past? 

(TC: 00:05:28) 

Luke Donovan: I think there are multiple aspects to this. I think, first bit, technological advancements within the threat landscape. So, we are seeing an increase in the utilization of AI, not only in our general, day-to-day use, but also being exploited by threat actors. So, when we see threat actors exploit this content, it means that they can put together campaigns targeting organizations more specifically, it’s a more targeted approach. So, their messaging can be on point, the terminology which they use can be on point. They can craft messages specifically to individuals and parts of teams, which makes it really easy-, not necessarily easy, but makes it more beneficial, when it comes to those social engineering tactics used by ransomware groups and their affiliates. The key one there is the likes of Scattered Spider, who hit Marks and Spencer’s earlier this year, and also Co-op. They were utilizing social engineering tactics to gain access to these organizations and then conduct ransomware attacks. They are heavily known to utilize the AI side of things. 

(TC: 00:06:40) 

Aidan Murphy: For international listeners, Marks and Spencer’s and Co-op are two British retail brands, very large British retail brands, and this seemed to be part of a dedicated campaign targeting several retailers in the UK, in this reporting period. Another factor that you highlight in the report, Luke, is also that there are simply more ransomware groups operating, so I guess it makes logical sense that more groups equals more victims, right? 

(TC: 00:07:09) 

Luke Donovan: Yes, absolutely, Aidan. Within the first half of this year, we saw 88 distinct ransomware groups in operation, so those groups who are posting victims. That is an increase in 16% over the second half of last year, okay, so, the second half of last year, there were 76 ransomware groups. So, not only has the number of ransomware victims increased, the number of active ransomware groups has also increased over that given period of time. But, out of those 88 ransomware groups, 35 of those are brand-new. Wouldn’t identify them in 2024, only materialized in the first half of this year. So, we talk about the ransomware landscape increasing, there are more threats out there, I think the key parameters there are the number of victims and the number of ransomware groups, but also the number of new ransomware groups which are appearing. It seems like we can’t go week on week without a new ransomware group appearing. 

(TC: 00:08:08) 

Aidan Murphy: Yes, it’s really interesting, so, when we get to the top five ransomware groups, it’s fair to say that those have been around for a while. But, it is interesting, like you say, that waiting in the wings are these 35 new groups that have only started operating, who I’m sure, in years to come, we’ll be talking about as the old stall, or at least some of them. I know there is a lot of flux within groups that are appearing and disappearing. Is this trend of more groups surprising at all, or is this what you’d expect, because, like you say, the technological advancements and-, I guess, is ransomware more readily available? Is that fair to say? 

(TC: 00:08:44) 

Luke Donovan: Yes. So, we’ve got the technological advancements associated with ransomware. There have been a lot of law enforcement operations being conducted against ransomware groups, so, we get this thing called ransomware as a service, where affiliates join an organization, utilize their infrastructure to conduct ransomware attacks. Now, some of those big players within the ransomware as a landscape environment have been targeted by law enforcement, have been taken down. Therefore, within that community, there’s a sense of their security, their operational security, being impacted. So, once you start getting those questions about operational security, you might want to go off and create your own ransomware group, where you’ve got control over that security. When we look at the ransomware security, not only have we had a number of ransomware groups being taken down by law enforcement, but we’ve had breaches associated with ransomware groups as well. The likes of LockBit earlier this year, where their whole affiliate program was leaked, or their lite affiliate program was leaked, which gives us really good insight. So, again, another area where operational security fails, therefore, would you go off and create your own ransomware group? Obviously, there are challenges in creating your own ransomware group, because then you need to develop the infrastructure, you need that capability, which the ransomware as a service operations would provide you with. 

(TC: 00:10:10) 

Aidan Murphy: But, I think, in this report, you’ve given more than one example where we see actors explicitly say either that they’re going off and starting their own ransomware group or that they seem to be a member of multiple groups, which I guess speaks to, like you say, this quite complicated landscape, and may help explain why these new groups are emerging, because it is much more fluid, I think, than sometimes people give it credit for. 

(TC: 00:10:36) 

Luke Donovan: Yes, absolutely. It is very fluid, very fluid, and that makes it very challenging from a security perspective, an intelligence perspective, because you need to be on the ball in terms of identifying, ‘Where are these organizations posting their victims?’ Need to be on-, luckily, though, given how ransomware operations run, there are often a lot of clues, because ransomware groups, they want to try and make it a little bit more public, in terms of who they’ve targeted, who are the victims, to put that pressure on that victim, so they’re more likely to pay that ransom. 

(TC: 00:11:10) 

Aidan Murphy: Yes, but I think it’s a really important point, because I think something we’ve pointed out in the podcast before is, it’s this need for continuous monitoring. Even this report, right? So, we used to do these reports yearly, and we started moving to a half-yearly basis, just because it moves so fast that, if we’re not really keeping an eye on this, the players change very, very quickly, and you’re missing the ball. And, we’re only doing this from an educating the cyber security market perspective. If you’re doing this for your own security, I mean, you have to be on this all the time, I expect. 

(TC: 00:11:45) 

Luke Donovan: Definitely, definitely. You always need an eye on the landscape, when it comes to the ransomware situation. Obviously, you cannot go and understand every single ransomware group which is operating, but you can pull up for trends, and by identifying those trends and how that landscape is changing, you can then adopt different security measures to protect your organization, and you can prioritize those security measures as well.

(TC: 00:12:11) 

Aidan Murphy: Well, speaking of trends, another one that you looked at in this report was the geographical distribution of victims. So, what were your findings, looking at it from, I guess, that viewpoint, coming at it from that angle? 

(TC: 00:12:23) 

Luke Donovan: Yes, I found this really interesting. A lot of people mention, ‘These ransomware groups, they’re operated by Russian individuals, or individuals associated with the Russian state, and they are targeting Western organizations.’ Lots and lots of rhetoric around it. So, we thought we’d go away, we’d look at the ransomware victims, we’d start profiling them, understanding, ‘Where are the headquarters for these organizations?’ When we start looking into that, we notice that North America had the most victims, with 1,779. Europe were second up, with 775, and then it cascades down, all the way down to what I’m classing as Asia and Europe, so those countries who span that geographical border between Asia and Europe. In that scenario, there are 34 countries-, sorry, 34 victims. Ten of those victims are associated with Russia. All the rest are associated to have-, other geographical locations. 

(TC: 00:13:30) 

Aidan Murphy: So, yes, I guess that puts it in perspective, right? So, we’re talking over 1,000 in the US, and less-, well, ten exactly in Russia, which is quite a stark contrast. 

(TC: 00:13:42) 

Luke Donovan: It’s a massive contrast, and it gets worse, when you start thinking about the geopolitical situation of the world, and you look at the different ideologies between Russia and the West, and you look at their military background, so Russia, associated with the Warsaw Pact, and you’ve got the West, associated with NATO, when you start looking at the individual countries which were hit by ransomware, the top six or seven are all NATO members. So, you’ve got the United States, with 1,536 victims, Canada, 182, Germany, 167, UK, 131, and then, France and Italy, tied with 79. So, again, massive numbers, when you start looking at just the countries who have been hit by ransomware. And, putting into comparison, again, Russia, with their ten victims. 

(TC: 00:14:38) 

Aidan Murphy: So, NATO membership seems to be part of the mix here, and we have spoken before about the fact that, while we do class ransomware groups as financially motivated, there is an underlying geopolitical element. If nothing else, my understanding is that it doesn’t go down well if you attack Russian organizations, if you’re a ransomware group, but if you attack victims within, shall we say, states-, unfavorably seen states, then you’re not going to get the same scrutiny by Russian law enforcement. Is that fair? 

(TC: 00:15:15) 

Luke Donovan: Yes, absolutely, Aidan. 

(TC: 00:15:17) 

Aidan Murphy: Is there anything else, any other reasons we could say that North America and Europe are particularly heavily targeted? 

(TC: 00:15:25) 

Luke Donovan: I think the geopolitical element is a big player. However, there are other reasons why we tend to see the West being targeted, especially when you look at it from a wider global aspect. Western countries, they tend to have more economic value associated to them. They’ve got developed economies. Therefore, they can become more of a target, because there’s more likelihood of payments being made. And, also, you’ve got the technological advancements within the Western hemisphere as well, so, because so much is interconnected, so many organizations now operate online, it means that there’s a larger attack surface to be targeting. But, I still do believe, a lot of these actors, they are very much motivated by financial gain. There is still that undercurrent of ideology, but a lot of it is still going to be the financial gain. They are trying to get that money off these victims. 

(TC: 00:16:22) 

Aidan Murphy: Yes, absolutely. And, then, I guess, the final trend that gets quite a lot of focus in the report is a focus on the tactics that the groups are using, which is split into two parts. So, one part is the focus on vulnerabilities being exploited, and the second part is tactics and extortion. So, I guess you could almost split it into soft skills around the extortion and technical skills around the vulnerabilities. Shall we start with the vulnerabilities, Luke? What are our findings around that? 

(TC: 00:16:54) 

Luke Donovan: Yes, so, although we have seen a spike in the number of victims for the first half of this year, a lot of that spike has been caused by Cl0p, which I’m sure we’ll go onto later. Cl0p as a ransomware group heavily exploit zero days-, or, they go off, identify zero days, and normally, file transfer services, exploit those services in order to target a wider breadth of victims. So, at the end of 2024, Cl0p hit Cleo, there was a Cleo vulnerability. So, hit Cleo, as a zero day, that gave them access to a number of organizations. Later on, there was a patch which was released for Cleo, part of a CVE. Cl0p went on and looked at the CVE, looked at the patch associated with the vulnerability, and again, was able to identify an additional vulnerability. So, they’ve been lurking at Cleo, trying to gain access to these victims, and then extort them, then access, conduct  ransomware operations, extract the information, and extort them. So, this began at the end of 2024. Start of 2025, into about February time, mid-February to early March, Cl0p released about 300, potentially even more, victims associated to the Cleo vulnerability. Now, some of them were listed back in December time, but over time, there’s been a spike in that activity. 

So, this isn’t the first time that Cl0p has conducted such operations. They’ve exploited zero days in the past. There was a new vulnerability in 2023, or there was another vulnerability back in 2020, which they exploited. So, the utilizations of vulnerabilities are being exploited. That’s why you have had the spike in activity, because of the Cl0p action, but there are other ways how these threat actors are gaining access, as well, on top of the vulnerabilities. It’s still the initial access brokers being exploited, the use of social engineering, as explained, with Scattered Spider, and also the breach credentials. Typical breach credentials, from the likes of StealerLogs and other breaches being exploited, especially by the ransomware as a service operator. 

(TC: 00:19:26) 

Aidan Murphy: Yes. I think Cl0p-, I’m glad you brought up that example, because I do think Cl0p is just the ultimate example. It’s almost like a boogeyman. I sometimes think, for people who are responsible for vulnerability management and patch management, this is the fear I imagine everybody has, that there will be this zero day that a ransomware group identifies-, and, again, if anybody isn’t aware, zero days, that term signifies a vulnerability that hasn’t been discovered by security professionals. The actual software creator isn’t aware, and the security community isn’t aware, so there is initially no patch. So, a ransomware group finds a vulnerability like that and can exploit it before security professionals can step in. And, then, even worse, in this case, like you say, Luke, even when a patch is created, the patch isn’t sufficient to stop them from finding a work-around. This is, I think, everybody’s worst nightmare, so I think it is a really, really good example of the importance of things like attack service management and continuous discovery and scanning of your infrastructure, because this is just the thing, I think, that keeps CSOs up in the middle of the night. 

Yes, great, and the other side of it was extortion, as well, and you call out, in the report, some developments in extortion. It does start to get a bit-, humorous is the wrong word, because it’s obviously terrifying, but we’ve gone past double extortion to triple extortion, and then we start to run out of numbering, almost. But, there were some quite interesting examples of groups changing tactic, almost, in terms of applying pressure on their victims.

(TC: 00:21:13) 

Luke Donovan: There has been, yes. So, just going back to that double extortion, triple extortion, etc, traditionally-, I say traditionally, this is 2019, etc. Double has been the norm, in terms of encrypting data, exfiltrating that data, applying that pressure on the victim. That’s the norm these days, but there have been advancements in that to apply the additional pressure on organizations to pay ransom. This is where we get the likes of triple extortion, utilizing DDOS attacks against the organization, to try and get them to pay faster, or even, to a degree, quadruple extortion, whereby we start seeing the ransomware groups also contacting the victims. So, they’ll go through the data which is being extracted and engage with the victims. So, the victims then apply pressure onto the victim as well. So, there are lots of different methods being applied by the ransomware groups through this evolution of their operations, to try and get that financial gain out of the organizations. 

But, going to your last point, there is an organization or ransomware group called Qilin. Now, Qilin have gone off, and they’ve hired-, now, I’m going to say this loosely, but they’ve hired lawyers, okay? So, they’ve hired lawyers to go off, look at the exfiltrated data from the victims, and when they’ve gone off and reviewed the data, they are looking at the regulatory bodies within the country of that victim, to see what’s been breached, or the infringements, so that they can reach out to those bodies. But, it goes one step further, as well. Although they can reach out to the bodies, what they’re also doing is allowing their affiliate program, so the individuals who are conducting the ransomware attacks, to engage with the lawyers, so that they know how to engage in the negotiations with the ransomware-, 

(TC: 00:23:13) 

Aidan Murphy: Where to apply the most pressure, basically? Like-, 

(TC: 00:23:15) 

Luke Donovan: Absolutely. 

(TC: 00:23:16) 

Aidan Murphy: ‘What can I say that’s going to really make this company think, we need to pay, we need to pay right now?’ 

(TC: 00:23:23) 

Luke Donovan: Yes. Yes, you’ve got it. 

(TC: 00:23:25) 

Aidan Murphy: It’s incredible, isn’t it? Yes. 

(TC: 00:23:27) 

Luke Donovan: Yes. So, it allows them to go through and go, ‘Okay, if you have fallen foul of this infringement, that’s going to cost your organization X amount in fines.’ Therefore, set the bar, in terms of the ransomware payment, to this amount, because they’re more likely to pay that than paying for the infringement. How successful this sort of operation has been, I don’t know. I don’t know. 

(TC: 00:23:53) 

Aidan Murphy: But, it is very interesting to see where ransomware groups apply emphasis. So, for example-, well, we’ve been talking about two groups now. So, Cl0p obviously applies a lot of emphasis in finding these vulnerabilities, so they have a very technical approach, they find these vulnerabilities, they attack multiple organizations at once, and then they’ll list them in bulk. Whereas Qilin-, well, I’m sure Qilin has a big technical operation as well, but it obviously is also focused on this customer service side, you could say, I know that’s how they sometimes describe it, it’s not how the victims see themselves, I’m sure, but the negotiation tactics, effectively. They’re investing in layers and investing in, ‘How can we come to a price that the victim will see as being reasonable to-,’ because it’s less than what they’re going to pay in fines. Yes, really quite interesting developments. 

(TC: 00:24:48) 

Luke Donovan: The other trend which we’ve identified, although it was called out in previous reports which we pushed out, but the trend has continued, is around the abandonment of encryption. So, previously, ransomware groups had encrypted data. It stopped the victim from gaining access to that data. Therefore, they’re more likely to pay to get that data back. However, these days, with backups, etc, it’s got less of an onus, and it increases the probability of law enforcement being involved. So, ransomware groups, they are abandoning encryption. A prime example here are the Hunters International ransomware group. They were running encryption, up until fairly recently, when they stopped their ransomware operations, they provided a free decryptor software for the ransomware, which they were utilizing, and they formed a brand-new ransomware group called World Leaks. Now, with World Leaks, still a ransomware operation, but this time, all they’re doing is the exfiltration. So, they’ll gain access to a victim, exfiltrate that data, put the pressure on that victim, but avoid any of the encryption software. 

(TC: 00:26:03) 

Aidan Murphy: Yes, this development is incredible, I think, because effectively, what we’re talking about-, so, again, going back to this double extortion, triple extortion, to explain this to people, number-one extortion, historically, when ransomware groups formed, it was all about encryption. That was it, ‘We encrypt your systems, if you want your systems or your data back, whatever we’ve encrypted, you pay.’ That was modus operandi one of ransomware groups, before they started to move into these different methods. But, what you’re saying, Luke, is that some groups have now gone so far past it, that initial feature, which effectively defined what a ransomware group was, they’re abandoning in favor of-, they’re still charging ransom, so we can still call them ransomware groups, but the ransom now is for the data they’ve stolen, not for access to your system so the encryption. It’s quite a significant-, like you say, it’s something that’s been happening for a little while, now, but it is, I think, hard to overstate that change. 

(TC: 00:27:03) 

Luke Donovan: We are getting to that point where ransomware operations are becoming more just data breach operations, as well. 

(TC: 00:27:11) 

Aidan Murphy: Brilliant, so, let’s look at the top five groups, and some of them, we’ve already talked about, so we can move through those quite quickly. But, maybe, just listing, who do we have in the top five, let’s just start with that, and then we can take it from there. 

(TC: 00:27:25) 

Luke Donovan: So, the top five ransomware groups, so this is based on those who have posted the most ransomware victims, okay, so this has to be publicly available information. So, they may have hit more targets, but in terms of the number of victims only, we’ve got Cl0p at number one, 404. Again, a lot of that is due to the exploitation of vulnerabilities. We then have Akira, with 345 victims, Qilin, with 285 victims, RansomHub, 219, and then Play, with 198. So, again, just to make it clear, this is for the first half of this year, so January to the end of June, the number of victims which they’ve posted. 

(TC: 00:28:07) 

Aidan Murphy: Brilliant, and regular listeners might recognize some of those names, even the ones we’ve not spoken about already today. I want to look at each of them one by one, but before we do that, I think people might recognize an omission from the list, which is LockBit. 

(TC: 00:28:22) 

Luke Donovan: Yes, LockBit isn’t even in the top ten at the moment, Aidan, for that first-, 

(TC: 00:28:24) 

Aidan Murphy: Not even in the top ten? I didn’t even know that. This is brand-new podcast information. 

(TC: 00:28:29) 

Luke Donovan: Wow. Yes, absolutely. Their numbers have been extremely low. So, I think, over the last few years, 2023, 2024, up until the start of 2025, they have consistently been in that top five, posting a lot of victims. 

(TC: 00:28:45) 

Aidan Murphy: I think they were number one, even, 2023, 2024, and then it changed at the beginning of this year. I remember a report at the beginning of this year, they snuck down to number two, and that in itself was a story, but now you’re saying they’re not even in the top ten. 

(TC: 00:28:59) 

Luke Donovan: Now, they were hit by law enforcement operations last year, which dented their capability. They did come back for a little bit. They started off by posting breaches or ransomware victims, which was old news, it was old data, to show that they were still active. Over time, they did start posting new victims, and it looked like they were getting their feet under the table again, looked like they were picking up momentum. But, then, earlier this year, February time, I think it was 7 February, they were hit by a breach. Now, this breach released their affiliate program, the individuals who were part of the affiliate program, all the chats around their affiliate program and the victims, a whole plethora of really juicy information, and since then, it’s gone very, very quiet. 

(TC: 00:29:57) 

Aidan Murphy: Yes, so, we did a separate podcast episode on this, me, Luke, and a colleague, Vlad, as well. So, we’re not going to go into this story here again, because we’ve got a lot to cover already, but I will put the link to that in the show notes. And, it’s quite funny that, at the end of that podcast episode, we were discussing what impact this will have on LockBit, and now we effectively have come to the answer, which is that it did have quite a detrimental impact, for sure. Okay, let’s go through the groups we have, one by one. So, at number one, we have Cl0p, and again, we’ve discussed this quite extensively already, and so, we know, because Luke has explained, that the driver behind Cl0p being number one is effectively this batch that it posted in January, February, time, into March, around the Cleo victims. Then, as far as I can see, Luke, in the second quarter, there’s effectively no activity. 

(TC: 00:30:50) 

Luke Donovan: That’s absolutely right, Aidan. So, this is then borne over, so they will exploit a vulnerability, post a load of victims, bide their time, hit another third party, hit another load of victims, and post those as well. So, Cl0p are the longest established ransomware group on that list, so, they’ve been going since 2019. Okay? This group knows what they’re doing. So, although they might not be publicizing victims every single day, on a regular cadence, they know what they’re doing. So, their MO is typically using zero day exploits. There have been some interactions between them and other ransomware groups, in terms of the development of tools, and some of the affiliates, but it’s very much about targeting those file transfer utilities. 

(TC: 00:31:41) 

Aidan Murphy: Yes, and like you say, it seems to have been a very successful model for them, and they are pretty consistently in our top five, even though, like you say, they often go through long quiet periods. And, I think it’s worth pointing out, just because Cl0p has not posted anything in the second quarter of this year, does not, by any stretch of the imagination, mean that they have gone. It probably just means they’re looking for the next vulnerability. 

(TC: 00:32:06) 

Luke Donovan: Then, I think it also talks a little bit about the operational security. So, a lot of the other groups, as we mentioned before, are ransomware as a service groups. They are advertising affiliates, or advertising for affiliates to join their groups. Cl0p seems like a much more closed group. Sometimes they will have a very loose affiliate program, where they’ll bring in really close individuals to them, but typically, it’s a closed group. 

(TC: 00:32:36) 

Aidan Murphy: Yes. Great, so, that’s Cl0p. So, moving on to number two, we have Akira, as Luke said, with 345 victims. A fun fact for fans of Searchlight Cyber ransomware reports, all the way back in January 2024, we listed Akira as a group to watch, so we called it quite early on. Luke, what can you tell us about Akira? 

(TC: 00:32:56) 

Luke Donovan: Yes, so, Akira, they are a ransomware as a service operation, so they do have a number of affiliates who utilize their skill set or their access to victims, and then utilize the Akira infrastructure to run those operations. So, they were identified in March 2023. As of the end of the first half of this year, so, since they’ve been operational, that’s 750 victims, so-, 

(TC: 00:33:28) 

Aidan Murphy: Total victims, so that’s not in this-, 

(TC: 00:33:29) 

Luke Donovan: Total victims, yes. Yes, so, that’s, what, nearly 50% of all their victims posted in the first half of this year, compared to the last few years. They typically utilize initial access brokers, so individuals who are on forums, who have got access to victims, and try and sell that access, so, they’ll engage with those, purchase access, and then target the victims, along with the exploitation of vulnerabilities. So, they have utilized vulnerabilities in Cisco, SonicWall, VPN software as well, to gain access to victims. But, because this is a ransomware as a service group, and this is going to be the same for every single ransomware as a service group, it’s down to those individual affiliates how they gain access, so there’s not really too much we can go into when we start looking at the motivations of those individuals, or who they are, and they have been involved in social engineering, as well, so a whole plethora of different attack vectors. 

(TC: 00:34:32) 

Aidan Murphy: Yes. I guess, by comparison to Cl0p, then, what we can say about Akira is there is more diversity in the way they attack their victims-, the way the affiliates attack their victims. Okay, number three, we have Qilin. Again, this is a group we’ve mentioned. This is also another ransomware group we’ve done a podcast episode on, so, around this time last year, when they attacked the UK’s National Health Service. And, at that time, they were relatively unknown, but I guess, Luke, this shows that they have endured. 

(TC: 00:35:02) 

Luke Donovan: They’ve definitely endured. So, first became active 2022, by the end of first half of this year, 550 victims. They’re actively recruiting for new affiliates across hacking forums, and this is one of the groups-, we mentioned it earlier, but this is one of the groups which use DDOS campaigns against their victims as well. So, they’ll hit them with ransomware and then exploit that with DDOS attacks. 

(TC: 00:35:29) 

Aidan Murphy: This is not a very scientific way of approaching it, but the impression I get of Qilin is it’s kind of a brutal group, targeting health services, contacting lawyers, getting lawyers involved, hitting you with a DDoS as well as a ransomware. It feels like not a group you want to go up against. 

(TC: 00:35:47) 

Luke Donovan: I think that’s a good way of looking at them, Aidan. Out of all the ransomware groups-, I say all the ransomware groups, the five ransomware groups who post the most victims, they are the only group, month on month for the first half of this year, who have posted more and more victims. Everybody else, the numbers have been all over the place. Qilin, every single month, they’ve posted more victims than the month before. 

(TC: 00:36:10) 

Aidan Murphy: Yes, which I guess gives an indication of a growing group, and definitely one that will, I’m sure, be noteworthy in the months to come. Okay, in at number four, we have RansomHub, and this is quite an interesting story. So, they had 209 victims in the first half of this year, and actually, again, for fans of our report, they were the group that knocked LockBit off number one at the beginning of this year, when we were reporting on 2024, but they’ve had some disruption. Is that right, Luke? 

(TC: 00:36:43) 

Luke Donovan: That’s right, yes. So, they were formed in 2024, so, 2024, by the end of 2024, most prolific group, within that year period, taking everybody off that top spot. Since then, they ceased to exist. So, in March 2025, all their infrastructure ceased, and then another ransomware group, called Dragonforce, posted a message stating, essentially, that they had taken over all the infrastructure and the operations being conducted by RansomHub. Now, RansomHub was a ransomware as a service operation, and it was through RansomHub where you get the likes of Scattered Spider. So, Scattered Spider used to use RansomHub, then they moved over onto Dragonforce, then there were talks around Dragonforce targeting Marks and Spencer’s and Co-op. 

(TC: 00:37:39) 

Aidan Murphy: Yes, so, I think we’ve discussed this off-air a little bit, but there’s a very interesting piece to be done by somebody about Scattered Spider and their relationship with all these different groups, and Dragonforce is a name that has cropped up a few times over the last few months, so, again, even though, I guess, RansomHub-, again, if you’re looking at the report as we go along with this, you’ll see a drop-off in victims, because effectively, they cease to exist, but they were still prolific enough to make it into the top five. But, Dragonforce continues, so definitely something to keep track of. And, last, but by no means least, we have Play, with 198 victims. This is another group that, I guess, listeners will recognize the name, because they have been around for a while. I guess the interesting element of this, Luke, is that this is the only group in this top five that isn’t a ransomware as a service operation. 

(TC: 00:38:31) 

Luke Donovan: That’s correct, absolutely, so all the rest have some form of ransomware as a service operation, Play does not. So, Play was formed in 2022. They predominantly exploit credentials from steal logs, VPNs, from desktop procedures as well. So, it’s mainly harvesting those credentials, utilizing those credentials, getting access to a victim, hitting them with ransomware, and then posting the content onto their extortion site. 

(TC: 00:39:03) 

Aidan Murphy: I have to say, 198 victims is quite a lot for a group that isn’t a ransomware as a service operation, because again, I guess, maybe just to make it super clear for everybody listening, the reason you’d have a ransomware as a service operation is that, if you have these affiliates working for you, you could obviously hit way more victims, but Play effectively have to go out individually, victim by victim. So, that’s not a-, that’s a pretty good number, considering. 

(TC: 00:39:29) 

Luke Donovan: I think, across all of those five ransomware groups, they all have different ways of gaining access to an organization, whether it’s Play with their initial access through steal logs, VPNs, or RDPs, Cl0p, through the utilization of zero days, whether it’s the social engineering tactics which we see through RansomHub and Dragonforce, it’s all these different ways of gaining access to an organization, which we need to think about when we’re trying to protect ourselves. 

(TC: 00:40:01) 

Aidan Murphy: Yes, absolutely. And, I guess this is what you were talking about in terms of the need to monitor these groups, and keep an eye, and keep track, because, like you say, it’s not homogeneous. There are different methods, and I guess, if you’re particularly worried about a group, maybe a group that targets your industry or your geography, you need to be aware of who that group is, first of all, and you need to be aware of the methods they use, to make sure your security is sufficient. Great, so, that’s the top five. I hope that’s instructive for people. Luke, what’s your forecast, based on these findings, on how the ransomware landscape looks going forward? 

(TC: 00:40:41) 

Luke Donovan: My personal view is that it’s not going to go away. I do believe that, if it doesn’t stay stable, it will increase, predominantly because of those reasons we gave near the start, in terms of the technological advancements. I do believe AI is going to be playing a bigger role, and deep-fake technology, putting together video calls, typical calls to organizations, putting together your email campaigns, just getting those initial start points for attack vectors built up, doing that bit of reconnaissance, so that they can hit more victims. The geopolitical situation doesn’t look like it’s going to be stable within the near future, so that’s also going to be playing a bit of a role. Also, again, going back to the AI side of things, also the utilization of AI. Within dark forums, where a lot of these individuals discuss, there’s a lot of chat around utilizing dark versions of the likes of ChatGPT, utilizing these large language models in order to create the code needed to run ransomware operations, or to produce any malware. So, the generation of malware is going to be easier, we’ve got this lower barrier of entry. Individuals who want to get involved in this can go off and start creating the code required in order to conduct the operations. And, potentially, that might be a reason why we’re seeing a lot of these smaller groups appear now. So, overall, looking to the future, ransomware is not going to go away. It will continue, but at a steady pace, maybe even increase, due to AI and what that brings to the party. 

(TC: 00:42:26) 

Aidan Murphy: With that in mind, what recommendations do we give to security professionals? So, let’s start with the private sector cyber security teams. What can they take away from this? What should they be focusing on? 

(TC: 00:42:38) 

Luke Donovan: A lot of this is basic knowledge. You have to strike a balance, when you provide the security, you need to strike a balance between protective security and security intelligence. So, look at your defensive measures, but also, looking at your offensive measures, trying to understand what’s going on within the landscape. So, I would say, some of the recommendations would be, ensure you’ve got play books set up, so if you were targeted by ransomware, you’d know what lines of instant response you’re going to go down. Not only from an instant response field, but you can get those early warnings, so you know, if you’re seeing something, ‘Is this associated with ransomware? Is it associated with a different threat? What am I going to do if I see this in place? Follow my play book, so I know the actions which I’m going to be taking.’ You can then, with your play books, conduct table-top exercises, so run through scenarios, look at how ransomware groups have operated in the past, run those scenarios across your infrastructure, and think about, how do you communicate internally? What actions are you going to be taking? And, then, with that, identify the lessons learnt, put that into your play book, put it into your new policies and procedures. 

You also then need to start thinking more from the security intelligence point of view, thinking about your attack surface management. What is your attack surface? What is your operational environment? What could be targeted by ransomware groups? Do you know all your assets which are out there and how they could be exploited, so, with that, looking at vulnerabilities associated to them, and then, thinking about your patch management, are you patching any vulnerabilities? And, then, you’ve got your cyber threat intelligence side of things, so, monitoring the ransomware groups for trends, monitoring hacking forums and other open-source sources and information, to get that wider understanding, in terms of what is happening with these groups. Who are they targeting? What geographical locations? What sectors are they targeting? What are the indicators out there which I need to be protecting my organization from or putting into my rules to protect my organization? 

But, across all of that, at a real, basic level, it’s that training and awareness. And, again, this isn’t just for ransomware, this is for any cyber threats towards you and your organizations. It’s making people aware as to what they should be looking out for. As you’ve seen with Scattered Spider, RansomHub, the attacks against M&S, Co-op, that exploitation of social engineering does occur. That’s one of those attack vectors, and as we mentioned, could increase with automated phishing campaigns through AI. So, what are you looking out for? What looks suspicious? Making sure your staff are aware of that. 

(TC: 00:45:37) 

Aidan Murphy: Brilliant, thanks, Luke, that’s really helpful. And, then, from the public sector side of things, what should governments be focusing on? 

(TC: 00:45:43) 

Luke Donovan: Similar to the advice given there, but there are some additional aspects, which we can start focusing on. We could start looking at wider war games associated with ransomware, targeting multiple different elements of government and infrastructure. We could then start looking at public and private partnerships. There needs to be collaboration between both aspects, because everybody has got a bit of information associated to ransomware groups. If it’s all compiled together, we form a more informed network, and action can be taken to prevent these attacks from happening. So, public-private partnership, I think, is really important, and there are a lot of steps in place, and there are a lot of groups already set up, doing that, so really nice steps, there, already in place. We also have the law enforcement capabilities, ensuring that law enforcement, not only national law enforcement, but global law enforcement, they collaborate with one another. When we look at ransomware and other threats on cyber sources, we’re not just looking at threats which are starting in one country, being conducted in one country, and hitting victims in that same country. 

We’re looking transnational here, so we must ensure there’s collaboration between law enforcement and groups, and making sure there are awareness campaigns associated with ransomware. Ransomware, it is huge. It is huge. Not everybody understands it, so making them aware, in terms of the threat associated to ransomware, for organizations, both public and private sector, what should be done. 

(TC: 00:47:30) 

Aidan Murphy: Yes, and I think, to try and wrap up on a positive note, this report does show some concerning findings, there’s no glossing over that, but obviously, we want to be constructive to listeners as well, and I do think the LockBit example does show a path from that law enforcement perspective you just called out, Luke, that could be followed. It’s interesting, because it’s one we’ve tracked since that operation took place, and initially, it wasn’t clear. There was a question mark around, ‘How effective will this be? Is this just a hurdle that LockBit will overcome, and it will come back as big as it was before?’ Effectively, it hasn’t happened immediately, it’s taken time, but it is clear now that it did have an effect on that group, and that group has deteriorated. So, would you agree, Luke, that there are definitely positive signs as well, and a play book that could be followed in future? 

(TC: 00:48:28) 

Luke Donovan: I very much would agree with that, Aidan. There are a lot of positive signs, moving forward. It’s always going to be a technological race between the actors and the defenders, but there are a lot of positives there for those defenders. 

(TC: 00:48:44) 

Aidan Murphy: Okay, well, that seems like a good note to draw a line under this episode of The Dark Dive. A big thank-you to Luke for joining me. This episode marks the end of the third series of the Dark Dive, and for me, personally, the last episode I’ll appear in. I would like to make some very quick thank-yous. The first has to go to James Marriott, from Sound Media, the producer of this podcast. It is no exaggeration to say that, without James, this podcast wouldn’t exist, and I’ve listened to the raw audio files, so I can tell you that we should all be very thankful to James for making this podcast sound as good as it does. I’d like to thank everybody who agreed to come onto the podcast as a guest, generously gave up their time, and shared their expertise with me. I also want to thank those behind the scenes at Searchlight Cyber who supported me in the creation and running of the podcast. And, finally, but not least, I want to thank you, the listeners, for tuning in. The Dark Dive will return, but in the meantime, remember that you can find a back catalog of three seasons’ worth of episodes on Apple Podcasts, Spotify, YouTube, and all major podcast platforms. And, if you have any questions for us, a guest, or a topic you’d like us to cover, you can still get in touch through the contact details in the show notes, and that could lead to a future episode. But, until then, stay safe.