NCC Group Monthly Threat Pulse – Review of November 2024

Akira takes the lead 

Akira was the most active threat actor this month with 87 attacks. RansomHub was knocked off of the top spot to second position with 80 attacks, followed by ElDorado in third with 43 attacks, and Killsec in fourth with 33 attacks. 

North America and Europe experienced over three quarters of all attacks

 North America remained the most targeted region, accounting for 58% of total global attacks (326) a noteworthy increase from 272 in October, and Europe followed with 20% of attacks (114). The Russian-attributed threat group Sandworm was responsible for sustained espionage activity across both regions, with particular focus on the energy sector in Europe.

Asia experienced a decrease in attacks, dropping from 68 in October to 58 in November. In contrast, attacks in South America increased to 35, up from 20 in October, with Oceania also witnessing a slight increase, while Africa's attacks doubled. 

Industrials remains the prime target

The Industrials’ sector remained the most targeted with 181 attacks in November, accounting for 33% of all sectors targeted, demonstrating the continued threat to Critical National Infrastructure (CNI). The Consumer Discretionary sector followed with 119 attacks, and in third position was Information Technology with 72 attacks. 

Ransomware spotlight: New players and threat group collaboration are changing the game 

Last month, new ransomware strain Ymir emerged as a dominant player after first being accounted for in July this year. The group recently used RustyStealer malware to target a Colombian organisation, compromising credentials and deploying ransomware stealthily. Ymir's advanced configuration options and memory-based operations helped it evade detection.

Security experts have speculated that Ymir may have acted in collaboration with other groups. To this trend, nation-state actors and hacktivists have worked together using ransomware for financial gain and political motives. Such collaboration has been influenced by geopolitical events such as the Russian invasion of Ukraine and have drawn nation-state threat groups together with the same aims. 

The threat group Sandworm, linked to Russian intelligence, is a prime example of the increasing danger that nation-state groups pose due to the diversity of its operations which includes cyber espionage and influence campaigns. 

Matt Hull, Head of Threat Intelligence at NCC Group, said:

"The relentless activity of various cyber threat actors has almost become commonplace, but the focus on the industrial sector and particularly organisations that operate as part of critical national infrastructure (CNI) remains a real concern. 

Despite continued sector focus, there’s an interesting picture to paint when it comes to patterns of how threat groups operate. The collaboration between threat groups and blurring of lines between criminal and state-sponsored activity, often linked to geopolitical tensions, creates a dynamic threat landscape where motives behind attacks can be difficult to discern. This has been further highlighted in warnings issued by the UK’s NCSC in their recent Annual Review. 

As 2024 draws to a close, the immediate global threat of ransomware remains, so we’d urge companies to be more vigilant than ever when protecting against attacks. And, as we enter the holiday period, please stay secure and be mindful of the usual seasonal influx of scam and phishing emails which impact us all personally at this time of year.” 

Download the November Threat Pulse