Despite a police raid six months ago, LockBit 3.0 remains the most active encryption and extortion gang so far this year, according to Palo Alto Networks’ Unit 42.

Of the 53 ransomware groups whose shady websites, where criminals identify their victims by name and leak stolen data, were monitored by the incident response team, just six were responsible for more than half of the total infections observed.

For the analysis, Unit 42 reviewed announcements posted at these crews’ dedicated leak sites in the first six months of 2024. 1,762 messages were counted, a 4.3 percent year-over-year increase from 2023.

Before we get into the count of the six biggest gangs, a note about how Unit 42 tracks nation-state and cybercrime groups: it combines a modifier with a constellation. And Scorpius is the lucky constellation that Unit 42 connects to ransomware gangs. Here’s the master list, plus the common akas.

We’re going to go with the generic akas, with Unit 42’s names in parentheses on the first reference, because while we doubt anyone outside the security store is familiar with “Flighty Scorpius”, LockBit, on the other hand, is basically a household name.

(And one more note for Unit 42: you’ll soon run out of usable modifiers.)

These figures also compare the first half of 2024 with the whole of 2023.

In the first half of 2024, LockBit 3.0 (Flighty Scorpius) recorded 325 victims at the leak site, compared to 928 in all of 2023. This was more than enough to put the crew in first place halfway through the mission.

In second place: The Play (Fiddling Scorpius) gang named 155 victims in the first half of 2024, up from 267 last year. The jump moved the group from fourth place in 2023 to second place so far this year.

Meanwhile, 8base (Squalid Scorpius), a relative newcomer from last year that is believed to be a rebranding of Phobos, came in third in the first half of 2024 with 119 claimed victims. In 2023, the criminals claimed 188 victims, placing them in sixth place.

Akira (Howling Scorpius), dubbed the next big thing in ransomware, debuted at No. 4, with 119 victims so far this year. For comparison, in 2023 it had 192 victims and would be ranked fifth.

BlackBasta (Dark Scorpius) was the fifth most prolific ransomware gang between January and June, with 114 victims. Last year, it didn’t even make the top six.

And finally, Medusa (Transforming Scorpius) is said to have infected 103 victims so far this year. It also failed to make the top six in 2023.

A few notable gangs not on the list this year include ALPHV/BlackCat (Ambitious Scorpius), which ranked second last year with 388 victims, and number 3 ranked CLOP (Chubby Scorpius), with 364 victims in 2023.

The report also highlights some notable disruptions that occurred earlier this year and in late 2023.

“The takedown of prominent ransomware groups, forums, and individuals in the first half of the year has sent ripples through the criminal ecosystem,” the report said.

In December 2023, an FBI operation seized ALPHV/BlackCat’s websites and released a decryption tool for the ransomware.

That didn’t entirely deter the crew, which was revived when an affiliate blocked Change Healthcare’s IT systems and shut down pharmacies across the U.S. ALPHV executed an exit scam shortly after the ransom was reportedly paid.

In February, the LockBit 3.0 Tor site was taken down by the NCA and a month later its leader, Dmitry Khoroshev, also known as LockbitSupp, was exposed and punished.

In May, international agents seized control of the website and Telegram channel of ransomware brokerage site BreachForums. A month later, they arrested the leader of Scattered Spider, another APLHV affiliate.

Of course, law enforcement’s investigations may seem like a game of whack-a-mole, as many criminal websites come back under a new name and a new administrator (as BreachForums has done several times over the years, most recently in June).

Additionally, some gangs successfully rebrand, and many ransomware-as-a-service group affiliates spread to other criminal organizations after a raid. And as Unit 42 noted in its report, there are plenty of new entrants eager to move forward and enter this lucrative criminal ecosystem.

All of these factors likely play a role in the slight increase in reported ransomware infections compared to last year.

Some of the newcomers that Unit 42 follows are:

• Spoiled Scorpius (RansomHub Distributors)
• Slippery Scorpius (DragonForce Distributors)
• Burning Scorpius (LukaLocker Distributors)
• Alpha/MyData ransomware
• Trisec ransomware
• DoNex ransomware
• Quilong ransomware
• Blackout ransomware

Meanwhile, a new ransomware strain dubbed Brain Cipher emerged in June 2024 after a team hacked Indonesia’s Temporary National Data Center (PDNS) and disrupted the country’s services. That malware code is reportedly based on LockBit 3.0.

“We analyzed a Brain Cypher sample used in an attack against an Indonesian target, and our existing LockBit 3.0 prevention and detection signatures worked on this sample as well,” Unit 42 said.

“Despite all the efforts of law enforcement to dismantle and eradicate the most advanced ransomware threats, there are still plenty of highly skilled and motivated groups willing to step in and fill the void,” the cybercriminals suspect.

“The success and subsequent explosion of ransomware in recent years has led to an ever-growing group of individuals and groups gambling on their chance at fame and fortune.” ®