Searchlight Cyber Report reveals rapid changes in the ransomware landscape over six months

Searchlight Cyber Report reveals rapid changes in the ransomware landscape over six months

Searchlight Cyber, the Dark Web intelligence company, has released its latest report, revealing key ransomware trends for the first half of 2024.

Ransomware in H1 2024: Trends from the Dark Web showcases how the ransomware scene has shifted since the release of its annual ransomware report 2024 at the start of the year. The report offers key insights drawn from Dark Web intelligence to help organisations bolster their defences against emerging threats.

The report shows how – in just six months of the year – one of the biggest ransomware groups (BlackCat) ceased operations, a new gang (RansomHub) emerged in February and quickly established itself as the third most prolific ransomware group, and outlines the effects of devastating attacks executed against organisations. 

Other highlights of the report include: 

  • A 56% increase in the number of active ransomware groups compared to H1 2023, reflecting a diversification of the ransomware landscape.
  • LockBit has retained its top position in spite of the disruption of Operation Cronos, though its number of listed victims has decreased compared to H1 2023.
  • BlackCat and Cl0p have forfeited their top five rankings, with Play, RansomHub, BlackBasta and 8Base filling the top slots behind LockBit.
  • The emergence of RansomHub, a new ransomware group that quickly established itself as the third most prolific group, despite it only emerging in February. This group’s rapid rise suggests possible connections to established players like BlackCat.
  • A decline in the overall number of listed ransomware victims compared to H2 2023, indicating that law enforcement operations may be beginning to curb ransomware activities.
  • The continued dominance of the Ransomware-as-a-Service (RaaS) model among the most active groups. 

The report also profiles new entrants in 2024 including APT73 and DarkVault, potential offshoots of the disrupted LockBit, who are expected to become significant threats in the near future. Quilong, a closed ransomware group that emerged in April 2024 also had a significant impact in the first half of the year, targeting healthcare organisations in Brazil.

Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, said: “As we’ve seen in the first half of 2024, the ransomware landscape is not just expanding, it’s fragmenting. With over 70 active ransomware groups now in operation, the ransomware landscape is becoming more complex for cybersecurity professionals to navigate. The diversification we’re witnessing means that smaller, lesser-known groups can emerge rapidly and execute highly targeted attacks. This report underscores the need for organisations to continuously monitor the ransomware ecosystem, identify the groups that pose the greatest risk to them, and use threat intelligence to inform their defensive strategies.”