The 'Big Three’ ransomware groups are losing their grip on the industry as gangs begin to fracture, study shows

Circuit board with word ransomware lit up in neon red
(Image credit: Getty Images)

Major ransomware groups LockBit, ALPHV (BlackCat), and Cl0p, increased their attack output in 2023, but are losing ground to a surge of new collectives, research has revealed.

LockBit remained the most prolific group in 2023 with 1,191 listed victims according to data collated from the dark web leak sites of over 50 ransomware groups and published in security specialist Searchlight Cyber’s annual ransomware report.

Despite their attack output increasing, researchers found the big three’s share of the overall number of ransomware victims 2023 had declined, as the total number of operators grew.

Although Lockbit’s victims accounted for a third of the total number posted on the dark web in the last three months of 2022, the report showed this figure had almost halved to 17% over the same period in 2023.

The group’s total victim count doubled in 2023, however, which led the report to the conclusion that ransomware operations as a whole have ballooned, with fewer large entities dominating the space.

New ransomware groups such as 8Basem, Akira, and Rhysida were identified in the research as notable newcomers who quickly established themselves as some of the most active ransomware operators in 2023.

Yet, how ‘new’ these groups really are was called into question in the report, noting the considerable overlap observed across the various groups’ operations and suggesting individuals may be members of multiple collectives.

The researchers identified the popularity of the ransomware-as-a-service (RaaS) operating model as a factor contributing to this considerable overlap in membership and techniques, where group affiliates act as independent contractors for different groups.

Jim Simpson, director of threat intelligence at Searchlight Cyber, said this combination of increased individual output and an expanded number of ransomware operators has made for a dynamic threat landscape, compared to previous years.

“Our dark web intelligence shows that the ransomware landscape is becoming larger and more diverse. Small, specialized groups are emerging at pace while the large, established ransomware operations have also increased their output - creating a more active landscape than this time 12 months ago.”

A more fluid approach to ransomware means security teams need to work harder to keep up

The report outlined the increasingly fluid nature of ransomware operations in 2023, noting the speed at which groups dissolve and reform under new monikers, reusing old source code and borrowing tactics from rival groups.

The intentional release of the source code behind popular ransomware strain Babuk became the most popular blueprint for new collectives, according to the report, with groups including DarkAngels/Dunghill, Daixin, and RA Group building their tools on top of this framework.

Law enforcement operations targeting prominent collectives such as the Conti group or Hive gang may have contributed to a rise in smaller, more dynamic groups that draw less attention than their larger counterparts.

Ransomware groups are also streamlining their attacks by dropping the encryption element of the process. As companies are getting better prepared for encryption attacks, attackers are increasingly focused on just stealing the data and extracting ransoms as quickly as possible, according to the report.


Image of cloud on blue background with a refresh symbol in a green circle

(Image credit: Datto)

Dispel common myths and get tips on what to look for when selecting a BCDR solution


Discussing the rate at which the threat landscape is evolving, Simpson advised security teams to track the activity of ransomware groups on the dark web in order to stay up to date with their latest tactics.

“The expansion of the ransomware ecosystem means that organizations need the most up-to-date information on the specific ransomware threats facing their industry and their peers. Ransomware groups use the dark web to share their tactics, buy their initial access, and recruit affiliates - security teams concerned about ransomware have to monitor this activity to understand and prepare for the latest threats.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.