Ransomware attacks were up 47% in July weighed against the prior month, based on the latest threat data from NCC Group, with the LockBit family largely at fault
- Alex Scroxton,Security Editor
Published: 25 Aug 2022 8: 00
The recently updated LockBit 3.0 ransomware appears to have driven a considerable uptick in documented ransomware attacks in July, with incidents rising by 47% on a month-by-month basis, based on the latest monthly threat data made by NCC Group.
The operators of LockBit issued version 3.0 by the end of June beneath the tagline Make Ransomware Great Again. Among its new features are additional method of monetisation, with payments now accepted in more cryptocurrencies than before, post-payment data recovery and also destruction. Especially, the group now runs a bug bounty programme, and seems particularly keen to listen to about any bugs in its code which could enable outsiders to acquire its decryption tool.
In the weeks since its launch, LockBit is becoming by some margin the dominant ransomware strain observed in the wild, accounting for 52 of the 198 victims NCC documented in July, or 26% of the full total. Two other groups both of these connected with former Conti-linked affiliates were also highly active in July: Hiveleaks, which hit 27 organisations; and BlackBasta, which hit 24.
This months Threat Pulse has revealed some major changes within the ransomware threat scene in comparison to June, as ransomware attacks are once more on the up, said NCC global head of threat intelligence Matt Hull.
Since Conti disbanded, we’ve seen two new threat actors linked to the group Hiveleaks and BlackBasta take top position behind LockBit 3.0. Chances are we shall only start to see the amount of ransomware attacks from both of these groups continue steadily to increase on the next month or two.
Elsewhere, North Korea-linked advanced persistent threat (APT) group Lazarus continued a campaign of cyber extortion carrying out a $100m crypto heist on the Harmony Horizon Bridge in late June, and earlier attacks, including a more substantial $600m hit on Axie Infinity.
Hull noted the increased activity by Lazarus was likely due to the continued shrinking of North Koreas ramshackle economy, forcing the isolated regime to lean more heavily on crime to acquire much-needed hard currency. As previously reported, this trend has seen the government raise the reward money available to anybody who is able to provide intelligence on members of the Lazarus collective.
When it comes to other ransomware trends, verticals under attack remained consistent in July, with industrial organisations remaining probably the most targeted, accounting for 32% of incidents seen by NCC. This is accompanied by consumer cyclicals which include automotive, entertainment and retail at 17%, and technology at 14%.
NCC found the spot most targeted for ransomware attacks was THE UNITED STATES, where 42% of incidents were seen through the period, which regained the prestigious number 1 spot from Europe after 8 weeks.
As ever, it is very important remember that supplier-produced threat data is proprietary and generally reflects only the conditions seen by that supplier predicated on its network telemetry or gleaned from its incident response teams, so might not be wholly accurate. Other resources of threat data can be found.
Read more on Hackers and cybercrime prevention
Coopetition an evergrowing trend among ransomware gangs
July another down month in ransomware attack disclosures
US doubles bounty on Lazarus cyber crime group to $10m
NCC Group observes a drop in ransomware attacks — for the present time