The number of ransomware victims is booming — despite major threats being shut down

Hive and Ragnar are no more, but does it matter?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Despite the police dismantling some of the biggest and most dangerous ransomware threats out there,ransomwareas a criminal industry continues to flourish.

A new report from cybersecurity researchers from Palo Alto Networks' Unit 42, which found a 49% increase in victims reported on ransomware leak sites.

In total, there were 3,998 new entries, posted by various groups, across the dark web.

Short expiration date on ransomware groups

Unit 42 attributed this surge to high-profile vulnerabilities like SQL injection, which were used on products like MOVEit and GoAnywhere. Those with good memory will remember that Cl0p, for example, abused a zero-day vulnerability in the MOVEit managed file transfer solution to exfiltrate sensitive data on more than 2,000 organizations. Before that, the GoAnywhere fiasco saw firms like Procted & Gamble, or Hitachi, lose sensitive files.

LockBit, ALPHV, and others, all tried to find zero-day flaws to abuse and either install encryptors, or just exfiltrate data and demand ransom.

As the number of victims grows, at the same time the number of ransomware operators is shrinking. Hive and Ragnar Locker are no more, and so are Ransomed.Vc and Trigona. ALPHV was almost completely dismantled but managed to return, possibly rebranded.

Furthermore, leak site data revealed the emergence of 25 new ransomware groups in 2023, which the researchers hint shows continued appeal in ransomware as a profitable criminal activity. However, many of these new groups did not last, disappearing in the second half of the year.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As expected, ransomware operators weren’t really picky when it comes to the target industry, but manufacturing still remained the most affected vertical out there. Most victims - 47% - are located in the United States. LockBit remained the most active group in 2023, followed by ALPHV (AKA BlackCat) and Cl0p.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set