{ "id": "46f0e199-4410-471a-a3bd-abcd45e32eb2", "created_at": "2026-04-06T00:13:40.467963Z", "updated_at": "2026-04-10T03:33:15.535032Z", "deleted_at": null, "sha1_hash": "29d124e255755a3dbd1dcb930674916c37bfe7f5", "title": "What's behind the increase in ransomware attacks this year?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104611, "plain_text": "What's behind the increase in ransomware attacks this year?\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-05 13:14:20 UTC\r\nIn May, we reported a spike in cyber security incidents which had caused a significant impact on organisations\r\nalready dealing with the challenges posed by the COVID-19 pandemic. Many of these incidents were the result of\r\nransomware attacks and some of them had been accompanied by data breaches.\r\nSince then, analysis by our Threat Intelligence team has shown that the pace and frequency of ransomware attacks\r\nhave risen. In this update, we take a closer look at the trends driving the growth in these incidents.\r\nThe number of ransomware actors is increasing...\r\nThere has been a sharp increase in the number of ransomware operations this year, following a trend already\r\nestablished in 2019. This is likely the result of the high profile of ransomware incidents and, in cases where details\r\nof ransom payments have entered the public domain, the perceived profitability of human-operated ransomware\r\nattacks. This is attracting new players into the market. Recent arrivals include the ransomware systems Avaddon,\r\nDarkside, Smaug and SunCrypt.\r\nThe growth in ransomware operations is not confined to new actors. Many established criminal groups have\r\nalready added ransomware to their portfolios. Banking trojans such as Emotet, Dridex and TrickBot are now more\r\ncommonly used as the initial delivery mechanism in highly targeted ransomware attacks. The latest threat actor to\r\nmake this switch is QakBot, which since March 2020 has been used in the delivery of ProLock and DoppelPaymer\r\nransomware.\r\nThe shift by established criminal actors towards ransomware is likely driven by opportunity costs. Successful\r\nonline banking attacks rely on complex money laundering operations to receive stolen funds and transfer the\r\nproceeds to bank accounts under criminal control. The specialist criminals who provide money laundering\r\nservices demand high commissions, whereas ransom payments are usually direct to cryptocurrency wallets already\r\ncontrolled by the attackers. As a consequence, ransomware operations are almost certainly more profitable than\r\nonline banking attacks.\r\n...because the barriers to entry are dropping\r\nRansomware operations can be grouped into three broad categories: private schemes, affiliate programmes and\r\nbuilders.\r\nPrivate schemes\r\nWe assess that several of the most significant ransomware threats, including Ryuk/Conti and WastedLocker, are\r\nrun privately. They are operated by criminal enterprises whose leadership has been active for over a decade and\r\nwhich comprise many of the most sophisticated and experienced criminal actors we currently track.\r\nhttps://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html\r\nPage 1 of 4\n\nThese actors are largely secretive and do not participate in the criminal forums or marketplaces frequented by less-established actors; instead, they either have all of the resources they need in-house, or where they do need to bring\r\nin external expertise, they employ private communication channels to do so.\r\nRansomware operations are scalable\r\nThe arrival of new ransomware groups, the proliferation of RaaS schemes and the fact that established criminal\r\nactors have added ransomware operations to their activities have all led to an increase in attacks. But another key\r\nfactor is that many ransomware operations are inherently scalable. High-profile affiliate programmes like\r\nSodinokibi and NetWalker have actively recruited new partners.\r\nThe income of affiliate programmes and the amount of attacks they are able to sustain are a function of the\r\nnumber and effectiveness of the affiliates that threat actors have recruited. This has introduced a degree of\r\ncompetition between rival affiliate programmes, as they try to attract high-quality candidates to expand their\r\noperations. For example, the threat actor controlling Sodinokibi expects to retain 30-40% of the revenue generated\r\nby its affiliates, whereas a selling point of the NetWalker scheme is that successful partners can retain 80-90% of\r\nthe proceeds of their attacks.\r\nEstablished players are raising their game\r\nTwo of the most established and prominent ransomware threat actors have upgraded their systems in 2020.\r\nBitPaymer, a ransomware variant operated by the threat actor with the self-styled name “Evil Corp” (a.k.a. the\r\nDridex Group), was first introduced in 2017. Although the threat actor added some incremental improvements to\r\nthe code, the core system has remained largely unchanged since its introduction. In 2020, “Evil Corp” launched a\r\nnew ransomware project known as WastedLocker, which was responsible for high profile attacks from the outset.\r\nUnlike BitPaymer, which was partially derived from the source code for the Dridex banking trojan, WastedLocker\r\nhas been written from scratch.\r\nRyuk, one of the most serious ransomware threats to organisations, was first introduced in 2018. Ryuk operations\r\nwere at a high tempo throughout 2019 which continued into Q1 of 2020. Since then, a new ransomware variant\r\nknown as Conti has emerged. Like WastedLocker, Conti has been written from scratch, but based on coding\r\nsimilarities and the naming conventions used in files and commands, we assess it has been written by the threat\r\nactor in control of Ryuk.\r\nWe don't know why these high-level threat actors have introduced completely new systems, but it is likely that the\r\nrapid growth in ransomware threats has resulted in some potential targets having a better awareness of, and\r\npreparedness for, attacks. The threat actors have therefore modernised their toolsets in an attempt to retain the\r\ninitiative.\r\nData leaks have grown exponentially\r\nAs we noted in May, the actors in control of Maze ransomware began a trend by creating a site where they posted\r\ndata stolen from victims prior to the encryption of their files. The purpose of the leak site was to increase the level\r\nof coercion on new victims by making an example of those who refused to pay Maze’s ransom demands.\r\nhttps://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html\r\nPage 2 of 4\n\nSince then, the number of actors with currently active leak sites has risen to 15 (or 18 if discontinued leak sites are\r\nalso counted), including those in control of private ransomware systems such as DoppelPaymer, Conti and CL0P.\r\nThe rate and frequency of leaks has grown rapidly, with 80% of data leaks occurring since the beginning of May.\r\nThere are risks associated with attempting to assess the level of threat posed by different ransomware actors\r\npurely on the level of activity on their leak sites:\r\nLeak sites normally only display data on victims who have refused to accede to the attacker’s ransom\r\ndemands, so it is impossible to gauge how successful individual actors are in coercing payments from\r\nvictims;\r\nSome key ransomware actors, for example WastedLocker, do not use leak sites at all, preferring to operate\r\nbeneath the radar. Others, such as ProLock are known to exfiltrate data but do not operate a leak site.\r\nHowever, some of these actors are likely to sell stolen information that can be used for identity theft or card\r\nfraud on specialist criminal marketplaces; and\r\nAttackers do not always succeed in exfiltrating data from their victims but have still encrypted their\r\nvictim’s files.\r\nNevertheless, the quantity and rate at which data is posted to leak sites may provide some insight into the scale\r\nand tempo of different ransomware operations. It is notable that Maze accounts for almost 40% of all data leaks\r\nand that they have posted data continuously since February this year. The actors in control of Conti began leaking\r\ndata no earlier than the end of July, but in a little over six weeks have accounted for 13% of all leaks by\r\nransomware actors.\r\nhttps://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html\r\nPage 3 of 4\n\nRunning total of data leaks since November 2019\r\nData leaks by ransomware operation\r\nConclusion\r\nRansomware attacks affect practically every business sector and are growing in intensity. This is fuelled by an\r\ninflux of new ransomware actors, the expansion of existing affiliate schemes and the pursuit of improved revenues\r\nby established cyber crime actors. The barriers to entry into ransomware operations have been lowered by RaaS\r\nschemes which means that SMEs are as much at risk from a ransomware attack as large organisations, despite\r\nhigh profile incidents by “big game hunters” such as WasteLocker and DoppelPaymer grabbing the headlines.\r\nSource: https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html\r\nhttps://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html" ], "report_names": [ "what-is-behind-ransomware-attacks-increase.html" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434420, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29d124e255755a3dbd1dcb930674916c37bfe7f5.pdf", "text": "https://archive.orkl.eu/29d124e255755a3dbd1dcb930674916c37bfe7f5.txt", "img": "https://archive.orkl.eu/29d124e255755a3dbd1dcb930674916c37bfe7f5.jpg" } }