29 new ransomware groups have emerged in 2023 as attacks intensify

Mockup of a padlock covered in blue and red neon code denoting ransomware, malware, and security
(Image credit: Getty Images)

A surge in the number of new ransomware groups has contributed to an increase in data breaches in 2023, according to new research from WithSecure. 

The cyber security specialist has tracked the activities of 60 ransomware groups during the first nine months of 2023, and 29 of them have been identified as new gangs.

The first three quarters of 2023 have seen a significant rise in the number of data leaks, which WithSecure has partly attributed to the new ransomware groups. 

Evidence of the new groups’ methods, however, indicates these could be affiliates or former members of now-defunct collectives such as the Conti Group, known for executing multipoint extortion attacks.

Multipoint extortion is a type of ransomware that involves threat actors using a number of different extortion strategies to try and coerce victims into paying a higher ransom.

Examples of this type of attack include the prevalent double extortion ransomware tactic such as the Maze attack, which was the first high-profile case of multipoint extortion.

The general playbook for these types of attack includes exfiltrating and encrypting a victim’s data and subsequently using the threat of publishing that data, making it available to potential industry competitors, to pressure the victim into paying. 

According to the report, the frequency of ransomware attacks rose during the first three months of 2023. The findings reveal there was a 50% increase in data leaks from ransomware groups compared to the same period in 2022.  

It should be noted, however, 2022 was a relatively quiet year for ransomware attacks, falling 23% compared to 2021 according to research from the AAG.

This caveat means the increase in 2023 may not be as stark as first thought, however the significant increase in new groups entering the frame as ransomware operators remains to have concerning implications. 

Primarily this indicates ransomware remains a lucrative method of revenue generation for hacking groups and until that changes we are likely to continue to see attacks of this nature continue to rise in the future.

Who is carrying out these attacks?

Despite the presence of new operators, a considerable portion of the ransomware attacks carried out this year were perpetrated by established groups.

The report found LockBit, responsible for recent attacks on Boeing and Royal Mail, and the Dutch football association accounted for 21% of data leaks in 2023.

This was matched, however, by new entrants to the ransomware space. Around 25% of data leaks in 2023 included in WithSecure’s analysis were from ransomware groups that began operations in the same year. 

The novelty of these groups is not certain, but WithSecure identified overlaps and similarities with the methods of previous threat actors known for carrying out ransomware attacks.


Rear facing image of man sat in dark tech lab using VR headset and gloves

(Image credit: Trend Micro)

The near and far future of ransomware business models

Prepare for future changes in the criminal business models of ransomware actors


Threat intelligence analyst Ziggy Davies explained attacks observed in WithSecure’s analysis exhibited many hallmarks of previous groups. 

“Code and other aspects of one particular cybercrime operation end up getting used elsewhere because groups and their members often recycle the same resources when they change who they work for or with.”

“Many of the new groups we’ve seen this year have clear lineage in older ransomware operations. For example, Akira and several other groups share many similarities with the now-defunct Conti group and are likely former Conti affiliates.”

Davies added the groups’ recycling of old resources presents a source of hope for security professionals looking to avoid data leaks from malicious groups in the future.

“Ransomware remains an effective moneymaker for cyber criminals, so they’ll mostly stick to the same basic playbook rather than come up [with] anything really new or unexpected. This makes them pretty predictable, which is good for defenders because they know what they’re up against,” said Davies.

Defenders can study attack vectors used to gain access to a victim’s network and steal data, and then put provisions in place to guard against this. 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.