Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current
The number of attacks claimed by ransomware groups in May spiked to the highest level seen in nearly a year, though experts say the claims may be overstated.
Ransomware gangs posted 450 victims to their extortion sites last month — up from the 328 victims in April. The all-time record is 484 attacks posted by groups in July 2023.
More than one-third of the attacks reported last month were tied to LockBit, a prolific group that had its website seized by law enforcement in February as part of a major takedown effort. Some of the group’s leaders have asserted that the campaign wasn’t completely effective, and that LockBit still remains active.
As part of that effort, LockBit has aggressively claimed to have attacked dozens of organizations in recent months. However, cybersecurity experts are skeptical of the claims and say that it is likely a PR effort to convince affiliates and other partners that its operations haven’t been disrupted.
“Many of the attacks listed on the site appear to be duplicates or from old attacks that never made it to the extortion site in the first place,” said Allan Liska, a Recorded Future ransomware expert who tracks and analyzes the data using information from the extortion sites as well as government agencies, news reports, hacking forums and other sources. “The problem is that it is often difficult to determine what is real and what is made up as a way for LockBit to save face… Criminals are, to put it gently, unreliable narrators when it comes to victim reporting.”
Graphs from this ongoing project can be shared and reproduced with proper attribution.
Recorded Future
Intelligence Cloud.