LockBit 3.0 resurfaces with staggering surge in activity as ransomware attacks reach all time high
- Ransomware activity at all time high month-on-month and year-on-year
- LockBit 3.0 returns as most prominent threat actor with a 665% increase in attack volume
- The Industrials sector remains prime target for ransomware attacks (30%)
- Significant increase in attacks on South America (60%)
Global ransomware attacks increased by 32% month-on-month (356 to 470) and 8% (435-470) year-on-year according to NCC Group’s May Threat Pulse.
New emerging threat actors
In a significant shift in the ransomware landscape, LockBit 3.0 has reemerged to claim top spot amongst the most prominent threat actors. Previously dormant following the groups’ takedown, the group were responsible for 37% of all attacks - a staggering 665% increase month-on-month (176).
Play were knocked to second position with 32 attacks (7%) and RansomHub maintained third position with 22 attacks (5%), a decrease of 19% month on month.
Newcomers in the top 10 threat actors in May include Arcus Media, Underground and DAn0N. In 8th position with 13 attacks (3%), Dan0N was initially spotted in April and looks to favour the double extortion method. Coming in 9th and also favouring the double extortion technique is Underground with 12 attacks (3%).
Finally, 10th place with 11 attacks (>3%) goes to Arcus Media, a newly established ransomware operator who do not re-purpose of re-brand their malware, making it completely unique to their operation.
Unusual significant increase in attacks on South America
Threat actors continue to focus their targeting efforts on North America and Europe with 77% of cases, continuing the trend for 2024. Despite overall attack numbers against victims in North America increasing by 11% since April, the proportion of total global attacks witnessed by the region decreased from 58% to 49%, while attacks in Europe increased by 65%.
As expected, there has been a significant increase in attacks in South America. Proportional attacks have increased from 5% to 8% month-on-month, an increase of 60%. Meanwhile, Africa’s share of global attacks increased from 3% in April to 8% in May, an increase of 167%. As stated in last month’s report, this could be due to the regions being used as a “proving ground” to test the viability of new malware packages and attack methodologies.
Industrials continue to dominate sector attacks
Industrials remains the most targeted sector since January 2021, having witnessed 143 attacks (30%) in May 2024, up from 116 in April. Despite increasing at a lower rate than the global total, 32% higher in May than April, its proportional share only dropped from 31% to 30%. This highlights just how prominent the targeting of the sector is for ransomware threat actors.
Coming in second, the Technology sector also saw a significant increase in attacks, rising from 49 to 72 (47%) month-on-month. This rise is driven by the value of its data and intellectual property, substantial financial resources, and the rich environment of data and connected devices in tech companies, offering numerous targets for cybercriminals.
While the Industrials and Technology sectors saw increases, in third place, the Consumer Cyclicals sector experienced a slight decrease in attacks, dropping from 62 in April to 59 in May.
Overall, the significant increase in total ransomware attacks—114 more than in April—highlights a growing and shifting landscape of cyber threats.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said:
Following the takedown of LockBit 3.0 earlier this year, speculation has swirled around whether the group would simply dissolve, as we’ve seen with other threat groups like Hive. However, the current surge in victim numbers suggests a different story. It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organization.
The coming months will reveal whether LockBit can sustain the attack figures recorded in May, and our threat intelligence team at NCC Group will be keeping a close eye on the group’s activity.