top of page

Dynamic shifts in the ransomware landscape worth keeping an eye on

Over recent weeks, several pertinent shifts in the ransomware threat landscape have been observed, including mainstays developing their tactics to new players on the scene.

Aside from established groups expanding their tactics, techniques, and procedures (TTPs) and launching recruitment drives, multiple new ransomware threats have risen to prominence including AXLocker, Royal, Octocrypt, and Alice.

By the end of Q3, 62 active ransomware threats were identified within the threat landscape. However, since the beginning of Q4 several new groups have risen to prominence.

Security researchers at Cyble have identified three new ransomware threats including two new ransomware-as-a-service (RaaS) operators dubbed Octocrypt and Alice.

Activity related to both groups has been observed on underground forums including advertisements highlighting the ransomware capabilities and features.

Additionally, Microsoft have tracked DEV-0569 to be leveraging Royal ransomware, a ransomware that first emerged in September 2022, which is using Google advertisements to facilitate campaigns.

Although several new threats have been recently identified, it is also notable that numerous established ransomware and data theft groups have been actively expanding their operations.

Karakurt, a group suspected to have affiliations with the defunct Conti ransomware gang, were identified to be recruiting affiliates and scoping insider threats within organisations globally.

Aside from Karakurt, Donut, a group who also previously focused on data theft, have adopted a double-extortion model.

The group have been leveraging customised ransomware in recent attacks and the cross-posting of victim data has indicated associations with several other ransomware threats, including Hive and Ragnar Locker.

RansomEXX have also developed a new variant of their ransomware over the past week which is written in Rust, a programming language heavily abused by threat actors due to increased likelihood successfully evading antivirus.

Given the continued development of ransomware operations, it is almost certain that significant activity from financially motivated groups will continue throughout Q4.

The ransomware landscape remains dynamic and the activity from new and established groups demonstrates the ability threat actors have to quickly expand their network and tools arsenal.

The UK now ranks third in a list of countries who suffers the most ransomware attacks with reports stating that ransomware dominates discussions at the government’s emergency COBRA meetings.

Consequently, ransomware continues to pose an exponential threat to UK organisations.

For more of our stories on ransomware, type 'ransomware' into the search box.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page