Searchlight Cyber’s yearly ransomware report – More Groups, More Problems: Ransomware in 2023 – covers the most prolific ransomware groups on the dark web last year, changing ransomware tactics based on dark web activity, and the operations security team should watch out for in 2024.
The threat intelligence in this report is derived from Searchlight Cyber’s Ransomware Search and Insights module, which collates data from the dark web leak sites of ransomware groups. As of January 2024, we track the leak sites of 53 ransomware groups.
The biggest change to the ransomware landscape in 2023 was the increase in operators hosting leak sites on the dark web. This means that – while many of the largest groups continued and or increased their rate of output – their share of the overall victims actually decreased as the ransomware world got bigger.
New operations spring up every week and, while some are short-lived, others have cemented themselves as being just as prolific – and dangerous – as their predecessors. Notable newcomers that quickly established a reputation in 2023 include 8Base, Akira, and Rhysida.
Key findings from the report include:
- A diversification of the ransomware landscape – As new, specialized ransomware groups eat away at the victim-share of large, established operations like LockBit, BlackCat, and Cl0p.
- Emergence of new and dangerous players in 2023 – As new entities like 8Base, Akira, and Rhysida quickly rack up a high victim count.
- Tactical shifts in operations – With some ransomware actors moving away from encryption-based attacks to direct data theft and extortion.
And much, much more.