After a month-on-month decline during the first few weeks of 2023, the number of ransomware attacks tracked in the wild soared by 45% in February, largely driven by an increase in LockBit activity, according to proprietary data published today by NCC Group.
NCC’s Global Threat Intelligence Team recorded 240 ransomware attacks in February, the biggest volume its researchers have ever recorded during this period.
Of these, LockBit accounted for 129 (54%), NCC said, up from 50 attacks – including the hit on Royal Mail – in January. LockBit was a “driving force” behind attacks on the consumer non-cyclicals, industrials and consumer cyclicals sectors.
“In February, we observed a surge in ransomware activity, as expected when coming out of the typically quieter January period,” said NCC global head of threat intelligence Matt Hull.
“However, the volume of ransomware attacks in January and February is the highest we have ever monitored for this period of the year. It is an indication of how the threat landscape is evolving and threat actors show no signs of reducing ransomware activities.
“Looking at the most prevalent threat actors, Lockbit 3.0 looks set to carry on where it left off in 2022, and is already leading the way as 2023’s most prevalent threat actor by some margin,” he said. “BlackCat also remains consistent, whilst the ever-sporadic BianLian returned to the top three.”
The NCC team attributed 31 attacks (13% of the total) to BlackCat, and 20 (8%) to BianLian, a relatively new ransomware operation – first emerging in July of 2022 – that is proving highly effective.
The actors behind it are highly skilled and demonstrate exceptional operational security, and as such have really hit their stride in the past few months.
NCC additionally found North America remains the target of approximately 50% of global ransomware activity, with Europe accounting for 23% of victims and Asia 15%. The most targeted sectors remain industrials and consumer cyclicals, accounting for 33% and 15% of victims respectively, while consumer non-cyclicals (utilities, healthcare and other consumer staples) accounted for 8% of victims in February, largely as a result of LockBit activity.
Meanwhile, the takedown of the Hive ransomware operation at the end of January in a coordinated international operation led by the FBI, which hacked into Hive’s infrastructure in July 2022, stole its decryption keys, and handed them over to victims. Gang members were also sanctioned by US and UK authorities.
Although the operation against Hive was clearly successful to the extent that its operational capabilities were disrupted, NCC’s threat team assesses that as they are likely protected by the Russian state, its members will almost certainly continue operating under a different guise.
“It will be interesting to see how the takedown of Hive by the US Department of Justice plays out,” said Hull. “While this means their digital operations have been taken down, it’s unlikely Hive’s members will disappear completely. Our threat intelligence team will continue to keep a close eye on how this impacts the threat landscape.”