Ransomware attacks: Only a few groups dominate the scene
The flood of reports about ransomware attacks is not letting up and one might get the impression that the authorities are simply faced with a huge number of perpetrators. But that is not the case at all.
Six intensive offenders
At the security company Palo Alto Networks, the experts keep detailed records of the extortion cases that become known and come to a rather astonishing Result: Just six groups were involved in around half of the ransomware campaigns carried out worldwide in the first six months of this year. The statistics show 1,762 cases for the period, an increase of 4.3 percent, which is slightly more than in the same months last year. However, the number of cases alone is only partially meaningful, as the targets of attacks have shifted significantly – companies are increasingly being targeted, with the aim of extorting equally large sums of money from them.
325 ransomware attacks alone were attributed to a group known as LockBit 3.0 or Flighty Scorpius. The Play (Fiddling Scorpius) gang ranks well behind. They claimed 155 victims in the first half of the year and made good progress compared to last year: in 2023, the group only came in fourth place.
Meanwhile, 8base (Squalid Scorpius), a relative newcomer from last year, believed to be a rebranding of Phobos, took third place in the first half of 2024 with 119 victims. Akira (Howling Scorpius) and BlackBasta (Dark Scorpius) followed with 119 and 114 victims respectively. Medusa (Transforming Scorpius) accounted for 103 victims.
Law enforcement officials have now often started to focus on these large groups. This has certainly brought some success in recent months. Even if they were not able to get to the actors themselves, infrastructures could still be paralyzed, making it difficult to carry out new ransomware campaigns. This may also have led to the number of cases not increasing as much as it did some time ago.