LockBit, Black Basta and Play have been observed to be the most active ransomware groups in Q1 2024, with Black Basta experiencing a notable 41% increase in activity.
The data comes from the latest report by cybersecurity firm ReliaQuest, which also suggests that during the same period, LockBit faced a significant setback due to law enforcement actions in February.
Despite efforts to restore operations, LockBit’s activity decreased by 21% compared to the previous quarter. The group’s reputation among affiliates also suffered, with cybercriminal forum chatter reflecting apprehension about collaborating with a group compromised by law enforcement.
Read more on this: LockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches
Meanwhile, the emergence of the DarkVault group suggests a potential rebranding strategy by LockBit to evade scrutiny. The similarities in branding between DarkVault and LockBit, including font, color scheme and ransom demand format, hint at a possible connection between the two groups.
ALPHV’s exit scam following the fraudulent takedown notice posted on its DLS adds another layer of complexity to the ransomware landscape. The incident underscores the trust issues prevalent within cybercriminal networks, with affiliates vulnerable to exploitation by their own cohorts.
Looking ahead, ReliaQuest forecasts a resurgence of the Clop ransomware group, targeting vulnerable enterprise file transfer software. Additionally, increased exploitation of cloud and SaaS platforms, along with advancements in AI and machine learning, are expected to shape ransomware campaigns in the coming months.
“In several recent law enforcement operations, including Operation Chronos and the ALPHV and Hive operations, law enforcement groups created a decryption tool by collating decryption keys shared within the groups’ infrastructure,” reads the report.
“To prevent this going forward, ransomware groups will probably change the way they share and store decryption keys, potentially moving them to offline infrastructure.”
To mitigate ransomware risks, ReliaQuest emphasized the importance of proactive security measures, including multi-factor authentication (MFA), least privilege access and regular patch management.