A new report released today by cybersecurity company WithSecure Oyj is warning of a surge in the emergence of new multipoint extortion ransomware groups in the first three quarters of 2023.

Multipoint ransomware groups, sometimes called double-tap or double-extortion groups, are ransomware operators that use multiple methods to pressure victims into paying a ransom to regain control of their data. Whereas a traditional ransomware group would simply encrypt data and demand a payment for a decryption key, newer groups steal data and threaten to publish it if a payment is not made.

WithSecure undertook an analysis of data leaked on sites operated by these ransomware operators and found that many new groups have become active in this space during 2023. Of the 60 multipoint extortion ransomware gangs whose activities WithSecure has tracked during the first nine months of 2023, 29 are new.

The new groups are said to largely follow playbooks established by existing operators but play a key role in sustaining the number of ransomware attacks facing organizations.

“Code and other aspects of one particular cybercrime operation end up getting used elsewhere because groups and their members often recycle the same resources when they change who they work for or with,” explained WithSecure threat intelligence analyst Ziggy Davies. “Many of the new groups we’ve seen this year have clear lineage in older ransomware operations. For example, Akira and several other groups share many similarities with the now-defunct Conti group and are likely former Conti affiliates.”

The report also uncovered other insights about multipoint extortion ransomware attacks in 2023 to date, including that in the first three quarters of 2023, there was a 50% increase in data leaks from ransomware groups from the same period a year ago.

Unsurprisingly, the infamous LockBit ransomware accounted for the biggest share of the leaks — 21% — reflecting a similar finding in August from NCC Group plc. The five ransomware groups with the most leaks — 8Base, ALPHV/BlackCat, Clop, LockBit and Play — accounted for more than 50% of the total leaks.

About 25% of data leaks in the analysis were from ransomware groups that began operations in 2023 and only six of the 60 groups have posted victims every month of 2023 to date.

The report notes that though cybercriminals seem more interested in ransomware than ever, the degree to which these groups recycle each other’s playbooks provides defenders with some advantages.

“Ransomware remains an effective moneymaker for cyber criminals, so they’ll mostly stick to the same basic playbook rather than come up anything really new or unexpected,” Davies added. “This makes them pretty predictable, which is good for defenders because they know what they’re up against.” 

Image: DALL-E 3