Qilin remained the top ransomware group in August, but two rapidly emerging competitors are threatening to shake up the threat landscape.
Those are some of the conclusions from Cyble’s monthly ransomware blog published today.
Qilin’s 104 victims in August were well ahead of Akira’s 56 (chart below), but the rapid rise of Sinobi and The Gentlemen and the reemergence of LockBit are just some of the developments that threaten to upend the ransomware landscape in September.
August’s 467 ransomware attacks marked the fourth straight monthly increase, even as attacks remain well below February’s record (chart below). Several attacks had software supply chain implications, part of a troubling trend of surging supply chain attacks.
The U.S. accounted for nearly 60% of August’s ransomware attacks, roughly ten times greater than Germany and the UK.
Qilin Dominates Following RansomHub’s Decline
Since the decline of RansomHub at the end of March, Qilin’s 398 claimed victims are more than 70% ahead of Akira (chart below). Cyble noted that Qilin’s “features and incentives appear to be gaining traction with former RansomHub and other affiliates.”
Qilin has claimed more than 18% of the 2,164 total ransomware attacks since April, while Akira, at 10.7%, is the only other ransomware group above 10%.
Cyble noted that “the rapid rise of Sinobi might be even more impressive, as the group has vaulted into third place after only two months in existence.”
Sinobi has claimed 41 victims so far, all but two of which have been in the U.S. Because of code and data leak site similarities, Sinobi might be connected to Lynx, which itself has been connected to INC Ransom. All three groups remain active, so they may merely be connected rather than a rebranding.
Sinobi has claimed only one new victim since August 24, Cyble said, so its meteoric rise may prove unsustainable.
The Gentlemen Emerges as LockBit Returns
The Gentlemen has been another very active new group, with more than 30 victims so far in September, “so the most active ransomware group list may well change again this month,” Cyble said.
Meanwhile, former ransomware leader LockBit is making another comeback attempt with its 5.0 release, so September could turn out to be yet another pivotal month for ransomware groups.
“The continued evolution of ransomware groups and variants remains one of the biggest threats faced by cybersecurity teams and organizations of all sizes,” Cyble concluded. “The financial, data, infrastructure, and operational damage caused by these attacks requires the strongest possible vigilance on the part of security teams.”
With some noteworthy recent cyberattacks bringing organizations to a standstill for weeks at a time or longer, vigilance seems like good advice in general for security teams.
