Surge in global ransomware attacks as LockBit returns

LockBit 3.0 resurfaces as leading threat actor

Global ransomware attacks saw a significant increase in May, with incidents rising by 32% month-on-month from 356 to 470 and by 8% year-on-year from 435 to 470, according to UK cybersecurity firm NCC Group’s latest monthly Threat Pulse report.

In a notable development within the ransomware landscape, LockBit 3.0 has resurfaced as the leading threat actor. Previously dormant following a takedown, LockBit 3.0 accounted for 37% of all attacks in May, a staggering 665% month-on-month increase from 176 attacks. Play, which held the top position previously, was relegated to second place with 32 attacks (7%), while RansomHub maintained third position with 22 attacks (5%), a 19% decrease from the previous month.

New threat actors have also emerged in the top 10 for May, according to the report. DAn0N, initially observed in April, ranked eighth with 13 attacks (3%) and favours the double extortion method. Underground, also favouring double extortion, ranked ninth with 12 attacks (3%). Arcus Media, a newly established ransomware operator, entered the top 10 in tenth place with 11 attacks (>3%), notable for its unique, non-repurposed malware.

Matt Hull, global head of threat intelligence at NCC Group says: "Following the takedown of LockBit 3.0 earlier this year, speculation has swirled around whether the group would simply dissolve, as we've seen with other threat groups like Hive.

"However, the current surge in victim numbers suggests a different story. It's possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signalling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organisation."

Regional shifts in ransomware targets

North America and Europe remained the primary targets, accounting for 77% of all attacks. However, North America's proportion of global attacks decreased from 58% to 49%, despite an 11% increase in absolute numbers. Europe experienced a 65% increase in attacks.

Significant increases were also observed in other regions. South America saw its share of global attacks rise from 5% to 8% month-on-month, a 60% increase. Africa's share grew from 3% to 8%, marking a 167% increase. These regions may be serving as "proving grounds" for new malware and attack methodologies, NCC believes.

Sector-specific attack trends

Industrials remained the most targeted sector since January 2021, with 143 attacks (30%) in May, up from 116 in April. Despite a 32% increase in attacks, its proportional share dropped slightly from 31% to 30%, highlighting the sector's persistent vulnerability to ransomware.

The technology sector saw a substantial 47% increase in attacks, rising from 49 to 72 month-on-month. This increase is attributed to the high value of data and intellectual property, substantial financial resources, and the prevalence of data and connected devices in tech companies.

Conversely, the consumer cyclicals sector experienced a slight decrease, with attacks dropping from 62 in April to 59 in May.

The overall rise of 114 ransomware attacks compared to April underscores an increasingly volatile cyber threat landscape.

The coming months will be critical in determining whether LockBit can maintain its current level of activity.