Ransomware attacks rise 45% in Feb, LockBit ramps up activity
Analysis from NCC Group's Global Threat Intelligence team has revealed there were 240 ransomware attacks in February, a 45% increase from January.
The volume of activity is the highest recorded by NCC Group for this period, up 30% on February 2022 (185), and 2021 (185). The considerable rise highlights the growing threat of ransomware attacks, as the threat landscape continues to evolve.
LockBit 3.0 drove the majority of February's ransomware activity, with 129 ransomware attacks (54%). It marks a 150% spike in the groups activity compared to January (50 victims), including an attack on UK mail delivery service Royal Mail. The group was a driving force behind a rise in attacks on the Consumer Non-Cyclicals (12 victims) sector, while Industrials (43) and Consumer Cyclicals (20) were its most targeted.
BlackCat (13%) were the second most active threat actor, followed by relatively new threat actor, Bian Lian (8%), with 20 victims. Despite this sharp spike in activity, their level of attacks in February is still less than it was in December 2022, indicative of Bian Lian's usual pattern of activity, whereby it has peaks and troughs throughout the year.
According to the research, North America (47%) was the target of almost half of Februarys activity, with 113 victims. Europe (23%), and Asia (15%) followed, with 56 and 35 attacks respectively.
While Industrials (33%) and Consumer Cyclicals (15%) remained the most targeted sectors, LockBits targeting of Consumer Non-Cyclicals (8%) - companies in the likes of utilities, healthcare and other consumer staples - escalated it to the top three for the first time, with 20 incidents. This represents a 150% increase in victims in this sector since January.
This month, threat actor Hive claims the spotlight after the US Department of Justice reported in January 2023 that the FBI had infiltrated Hives network and seized their infrastructure in a coordinated international effort.
This infiltration began in July 2022, and among this was Hives leak site and various servers which had been located in Los Angeles.
In addition to the takedown, US and UK authorities sanctioned seven alleged members of the group, all believed to be Russian nationals. Although these operations have been taken down, it's widely reported that Russian cybercriminals are protected by the state, implying that while Hive have lost their digital assets, its members will likely continue operating under a different guise.
"In February we observed a surge in ransomware activity, as expected when coming out of the typically quieter January period," says Matt Hull, Global Head of Threat Intelligence at NCC Group.
"However, the volume of ransomware attacks in January and February is the highest we have ever monitored for this period of the year. It is an indication of how the threat landscape is evolving and threat actors show no signs of reducing ransomware activities," he says.
"Looking at the most prevalent threat actors, Lockbit 3.0 looks set to carry on where it left off in 2022, and is already leading the way as 2023s most prevalent threat actor by some margin. BlackCat also remains consistent, whilst the ever-sporadic BianLian returned to the top three.
"Finally, it'll be interesting to see how the takedown of Hive by the US Department of Justice plays out. While this means their digital operations have been taken down its unlikely Hives members will disappear completely.
"Our threat intelligence team will continue to keep a close eye on how this impacts the threat landscape."