NCC Group reports 665% surge in LockBit ransomware attacks

A recent report by NCC Group has highlighted a dramatic resurgence of the notorious ransomware group LockBit.

The group has experienced a remarkable 665% increase in attack volume compared to the previous month, with 176 attacks recorded in May 2024. This surge has driven overall ransomware attacks to their highest monthly total this year, with 470 incidents reported.

LockBit's significant rise follows a period of reduced activity after the group faced a takedown operation in February. Since their return, LockBit accounts for 37% of all recorded attacks, re-establishing themselves as a leading threat actor in the ransomware landscape. By contrast, Play dropped to second position with 32 attacks, constituting 7% of the total, while RansomHub held the third spot with 22 attacks, representing 5% and marking a decrease of 19% from the previous month.

Newcomers to the list of top threat actors include Arcus Media, Underground, and DAn0N. Dan0N, which first appeared in April, ranks eighth with 13 attacks, employing the double extortion method. Underground, another newcomer also using double extortion, is ninth with 12 attacks. Arcus Media, which uniquely does not repurpose or rebrand its malware, closes the top ten with 11 attacks.

The report also indicates a notable geographical shift in attack patterns. Although North America and Europe remain primary targets, accounting for 77% of global cases, there has been a significant rise in attacks on South America. The region saw its share of attacks increase from 5% to 8% month-on-month, a jump of 60%. Africa also experienced an uptick, with its share rising from 3% in April to 8% in May, an increase of 167%. According to the report, these regions might be used as testing grounds for new malware packages and attack methods.

In terms of sector-specific targeting, the Industrials sector continues to bear the brunt of ransomware attacks. It witnessed 143 attacks in May, accounting for 30% of total global incidents. This represents an increase from 116 attacks reported in April but a slight dip in the sector's proportional share from 31% to 30%. The Technology sector saw a significant rise, with attacks increasing from 49 to 72, a 47% month-on-month increase. This could be attributed to the high value of data and intellectual property, as well as the substantial financial resources and rich data environment present in technology companies.

Conversely, the Consumer Cyclicals sector experienced a minor decrease in attacks, dropping from 62 in April to 59 in May. Despite these variations, the overall increase in ransomware incidents—up by 114 from the previous month—underscores a shifting and increasingly complex cyber threat landscape.

Matt Hull, Global Head of Threat Intelligence at NCC Group, provided insights into LockBit's resurgence. "Following the takedown of LockBit 3.0 earlier this year, speculation has swirled around whether the group would simply dissolve, as we've seen with other threat groups like Hive. However, the current surge in victim numbers suggests a different story. It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signalling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organisation," Hull explained.

The forthcoming months will reveal whether LockBit can maintain the attack figures observed in May. NCC Group's threat intelligence team will continue to closely monitor the group's activities.