Ransomware resurgence gives small businesses cause for concern

Between 2018 and 2020, 22 new ransomware groups appeared on the cybercrime scene. I mention this as it’s the exact same number that has already emerged so far this year.

With law enforcement having ever-increasing success in disrupting large operators such as BlackCat, you have to wonder if breaking apart large ransomware organisations could be behind the growth of myriad smaller ones. A new report from threat intelligence consultancy Cyjax suggests that this could, indeed, be behind the resurgence of ransomware in 2024.

Analysts at Cyjax report that an average of 5.5 new ransomware groups have appeared each month this year. And with new groups come new targets, or at least a major shift in who is being targeted: smaller businesses with weaker security postures are firmly in the criminal crosshairs.

Related: The history behind LockBit ransomware

Cyjax reports ransomware attacks down but number of attack techniques is up

This shocking statistic should not be viewed in isolation, though, as the creation of new ransomware actors at a fast pace does not automatically mean an increase in ransomware attack activity.

Indeed, the Cyjax statistics reveal that ransomware attacks decreased by 22% between Q4 2023 and Q1 2024, despite the emergence of so many new players. This isn’t quite the good news it might first appear.

“A more diverse set of attackers means that organisations must be aware of a more disparate set of tactics, techniques and procedures (TTPs) that they must defend against,” says report author and Cyjax Intelligence Analyst Adam Price.

The standard security policies in place might not be enough, Price warns, adding that “it is vital to consider pre-emptive mitigation and risk management to minimise potential damage in the increasingly likely case of ransomware targeting”.

It’s well-known that when global law enforcement has headline-grabbing success in disrupting ransomware groups, be that by taking down infrastructure or the arrest of key players, it is often followed by a dip in overall ransomware activity.

But then there is a resurgence. Be that resurgence through simple rebranding or entirely new groups filling the void, ransomware is proving difficult to eradicate.

This should come as no surprise. After all, ransomware activity is a highly profitable area of cybercrime, and many players are all but out of reach when it comes to bringing them to justice, often down to geopolitical factors.

The Russia-Ukraine war cannot be ignored as far as hampering international cooperation, Cyjax reports, with Russia-based groups being allowed to operate with impunity.

Defending small businesses against ransomware attacks

“One of the trends I sense is a major reorganisation of the cybercriminal underground as a direct response to law enforcement success,” said Cyjax CISO, Ian Thornton-Trump.

“It’s likely that criminal actors are starting fresh and building more operational resiliency into their organisations and focusing on operational security (OPSEC) to avoid discovery and compromise. It’s far better to be a new crew and remain under the radar than an old crew with a big open source intelligence (OSINT) footprint.”

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.

NEXT UP