The number of ransomware groups rockets as new, smaller players emerge

The number of active ransomware groups has reached a record high, with new, smaller groups sliding under the radar.

In its latest quarterly Ransomware & Cyber Threat Report, GuidePoint's research and intelligence team said they'd seen a 57% increase in the number of ransomware groups, rising from 49 in the third quarter of 2024 to an all-time high of 77 now.

The number of victims, though, has remained relatively steady, stabilizing at around 1,500-1,600 per quarter since the last quarter of last year.

More than half of victims this quarter – 56% – were based in the US. No other country came anywhere close, with Germany second at 5% and the UK third at 4%.

The most-hit industries were manufacturing, technology, and the legal sector, with 252 publicly claimed manufacturing attacks during the second quarter, up 26% quarter-over-quarter.

"Ransomware activity has settled into a new normal, averaging 1,500 to 1,600 victims per quarter since late 2024," said Nick Hyatt, senior threat intelligence analyst at GuidePoint Security.

"Yet while overall activity has stabilized, the number of distinct ransomware groups has surged to a record 77 – highlighting both the consolidation of skilled operators within major RaaS (ransomware as a service) platforms and the ongoing churn of emerging or lower-skill actors entering the ecosystem."

The Qilin ransomware group was particularly busy. Its activity surged 318% year-over-year, claiming 234 victims this quarter; Akira was next, with 130 victims, the team said.

IncRansom, which first emerged in August 2023, showed a sudden surge in activity during the third quarter, making them the third most active group. The team said it's not clear whether IncRansom will keep this level of activity up.

SafePay, meanwhile, is an insular ransomware group that first appeared in late 2024, but that now claims a total count of 258 victims across 29 distinct industries and 30 countries for the year to date.

And while the research looked at the number of claimed victims from established groups, the team said they'd also seen, anecdotally, an increase in attacks that couldn't be attributed to any known group, or where the threat actors even outright refused to identify themselves.

"This can plausibly be the result of growing distrust in the RaaS construct, reduced barriers to entry for aspiring cybercriminals, or splintering of existing groups resulting in outcast affiliates forced to find a new home," they said.

"In the months and quarters ahead, we will specifically be looking to determine the timelines, efficacy, and victim outputs of such groups to aid in our ongoing analysis and determinations."

And, said Hyatt, the growing diversity of ransomware groups is creating new challenges for defenders.

"While established actors like Qilin and Akira are streamlining their operations, newer groups such as SafePay demonstrate how even small, insular actors can thrive by staying under the radar," he said.

"This 'new normal' isn't a reason for complacency – it underscores the need for sustained vigilance in an increasingly fragmented threat landscape."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.