But incidents such as these quickly lead to a loss of trust in the cybercriminal world and partners will quickly move on to the next program. This effect has been visible in LockBit’s recent activity. According to GuidePoint’s statistics, LockBit still accounted for 60% of ransomware incidents in March, but its market share dropped to 30% in April.

Meanwhile, groups like Hunters International, 8Base, RansomHub, and other previously smaller and emerging groups saw jumps in activity. Play’s victim count actually decreased from March to April, but ended up in the top position due to LockBit’s major decline. But the group has been on an upwards trend since the beginning of the year, according to statistics from NCC Group.

8Base is a ransomware group that like Play has been around since 2022, but Hunters International is relatively new, first making an appearance last October and bearing a lot of similarities to Hive, a ransomware group that shut down in early 2023 after law enforcement from several countries managed to seize its servers. RansomHub is even newer, emerging for the first time in February this year and quickly climbing through the ranks.

“We have observed threats by RansomHub to sell exfiltrated data on their branded data leak site (DLS) and instances where the group claims that data has been sold — a notable distinction from the more typical practice of posting such data openly,” the GuidePoint researchers wrote. “Possibilities for this distinct approach include the difficulty and cost of hosting stolen data, the group’s belief that data sales are more valuable than open posting, and the inherent pressure such activity places on the victimized organization to settle with the group.”

Moreover, the affiliate that hacked Change Healthcare and accused ALPHV of running with the ransom money is now a RansomHub affiliate. The reason for this switch might be RansomHub’s generous 90% affiliate commission on victim payments and the possibility for affiliates to receive ransom payments directly instead of going through a RansomHub administrator, the researchers note.

More newcomers

There are some other new groups that stand out through their tooling or growth. One of them is called Muliaka and primarily targets Russian organizations — an unusual targeting choice in the ransomware ecosystem. This group appears to be using a version of the Conti file encryption malware that was leaked online in 2020 and deployed it by hijacking a feature in an antivirus program used by the targeted organizations.