The global ransomware landscape continues to fragment in the wake of high-profile law enforcement actions over the last year, which disrupted the operations of prolific threat groups or forced them to shut down altogether but also paved the way for more cybercrime gangs to emerge.

According to dark web intelligence firm Searchlight Cyber, the number of active ransomware groups operating during the first half of the year jumped 56%, from 46 in the first six months of 2023 to 73 since January this year. However, there were fewer listed ransomware victims this year compared with the first half of 2023, suggesting that law enforcement operations are helping to protect organizations.

“What we could be seeing is the diversification – rather than the growth – of the ransomware scene,” Luke Donovan, head of threat intelligence at Searchlight Cyber, wrote in a 16-page report, “Ransomware in H1 2024: Trends from the Dark Web.” “This hypothesis would be consistent with the fact that some of the biggest ransomware players have a clearly reduced influence, suggesting that there is no longer the ‘market dominance’ of a small number of highly-prolific ransomware groups that there once was.”

Law Enforcement Goes on the Offensive

Law enforcement agencies in the United States and elsewhere have collaborated to disrupt the operations of ransomware-as-a-service (RaaS) groups, reducing the influence of some big names like LockBit while forcing others – including BlackCat, also known as ALPHV – to shutter their operations. That has created space for other gangs to emerge and flourish, something threat intelligence organizations have recognized.

Europol in July wrote in a report that some cybercriminals were retreating from larger RaaS organizations in the wake of the law enforcement operations, worried that affiliates could be caught up in the investigations of the higher-profile threat groups. Instead, many have gone their own way, developing their own variants of ransomware and launching attacks rather than acting as affiliates for RaaS group, with some setting up their own RaaS operations and competing for affiliates that had been associated with groups targeted by law enforcement, including LockBit and BlackCat.

“High-level affiliates and developers remain an important asset, with different ransomware-as-a-service (RaaS) providers competing for their services,” Europol wrote in its report. “Some affiliates are suspected of having developed their own ransomware variants to lower their dependence on RaaS providers.”

The Rise of RansomHub

One group of note emerging from the chaos of the disruptions of LockBit, BlackCat, and Hive – among others – is RansomHub, a former BlackCat affiliate that has only been on the scene since February but already was the third-most prolific ransomware outfit in the first half of the year, according to Searchlight Cyber. RansomHub came to the fore after BlackCat dissolved in the wake of the massive ransomware attack on Change Healthcare – a subsidiary of giant healthcare insurer UnitedHealth – and the $22 million paid by the company.

“Its ‘affiliate-friendly’ model could also be seen as a direct response to BlackCat’s retirement, where it is believed that the operators of the group perpetrated an ‘exit scam’, taking the entire ransom payment from Change Healthcare without properly compensating the affiliate responsible for the attack,” Searchlight Cyber wrote in its report. “Most of RansomHub’s victims are located in the United States.”

That affiliate-friendly model includes offering affiliates a fixed 10% fee and allowing the affiliate to collect the ransom payments directly from victims before handing the money over to the core RaaS group.

Making a Big Splash

RansomHub has had an outsized presence given its relatively short time on the stage. CISA, the FBI, and other U.S. agencies in late August issued an advisory about RansomHub – formerly known as Knight and Cyclops – noting that the group and its affiliates have run double-extortion attacks against at least 210 organizations since February, with victims coming in such critical sectors as IT, water and wastewater, IT, government services, healthcare, emergency services, and financial services.

Most recently, RansomHub attacked reproductive health care services organization Planned Parenthood, claiming to have stolen – and threatening to leak – 93GB of data over a six-day stretch. Martha Fuller, president and CEO of Planned Parenthood of Montana, confirmed the attack in a statement to the media, adding that the organization detected the intrusion August 28 and reported it to federal law enforcement officials.

Possible BlackCat Ties

In May, researchers with Forescout did a deep dive into RansomHub, noting that its ransomware is written in both C++ and Golang and supports Windows, Linux, ESXi, and devices running on MIPS architectures. They also addressed the question of whether RansomHub is just a rebrand of BlackCat/ALPHV, noting that BlackCat itself emerged in 2021 as a rebrand of DarkSide – which was responsible for the high-profile hack of Colonial Pipeline – and BlackMatter.

There are some similarities in the tools used by BlackCat and RansomHub, as well as significant differences, including in the encryptor, they wrote.

In its analysis, Searchlight Cyber wrote that “RansomHub’s rapid rise to prominence can potentially be explained by links to BlackCat. … It is suspected that RansomHub could contain former affiliates of the BlackCat ransomware group, especially as the group also listed Change Healthcare as a victim.”

The new faces to watch in ransomware according to the company include DarkVault, APT73 – an advanced persistent threat (APT) that may be an offshoot to LockBit – and Quilong.