Skip to navigation Skip to main content Skip to footer

NCC Group Monthly Threat Pulse - August 2023

26 September 2023

  • Ransomware attacks down 22% in August after reaching record levels in July
  • Lockbit was the most active threat actor in August, responsible for 125 of 390 total attacks
  • Industrials (31%), Consumer Cyclicals (17%) and Technology (9%) were the most targeted sectors
  • North America (47%) was the most targeted region, followed by Europe (28%) and Asia (15%)

August 2023 saw a drop in ransomware attacks according to NCC Group’s August Threat Pulse, with 390 attacks representing a 22% drop from July. It comes after back-to-back record months in June and July, largely the result of Cl0ps MOVEit exploitation and the ongoing impact of the attack.

Lockbit 3.0 back in the top spot

Lockbit 3.0 returned to pole position in August, responsible for carrying out the largest volume of attacks at 125, 32% of total attacks in the month. It represents a 150% month-on-month increase on its July activity. BlackCat took the second spot with 41 attacks (11%), followed by 8Base with 32 (8%).

As expected, there was a steep fall in activity from Cl0p. The repercussions from its MOVEit exploitation seem to have largely subsided, with the group responsible for only 1% (3) of all attacks, a 98% decrease from July and June where Cl0p launched 161 ransomware attacks.

Cl0p’s slowdown of activity in August is similar to patterns witnessed in March earlier this year, after its mass exploitation of the GoAnywhere vulnerability was followed by a quiet period of attacks from the group.

Akira, a more recent ransomware player whose activity was first noted in April, has climbed to fourth place in August, after ranking in 8th place in July. The group focused 26% of its activity in the industrials sector and had a particular focus on the education sector.

Industrials continues to be the most targeted sector

Industrials continues to be the most targeted sector representing 31% of all attacks in August. Threat actors continue to target the sector to exploit personally identifiable information (PII) and intellectual property (IP), with larger organisations remaining a specifically active target for threat actors looking to increase their revenue from ransomware attacks.

The top three industries within the sector targeted in August were professional and commercial services followed by machinery, tools, heavy vehicles, trains and ships, with construction and engineering placing third.

North America remains the most targeted region

47% of all ransomware attacks in July took place in North America, consistent with previous months. However, the region experienced a 7% relative drop in August, as compared to July where it held 54% of all victims. Europe remains in second place with 108 victims in August, representing 28% of total attacks.

Interestingly, the volume of ransomware attacks experienced in Asia has climbed in comparison to recent months, accounting for 15% of the total - an amount not witnessed since February this year.

Spotlight: Geopolitical influence on cyber crime

The overall rise in attacks within Asia comes as we witness several geopolitically motivated ransomware campaigns by Chinese threat actor Flax Typhoon, overlapping with Ethereal Panda.

The group’s targeting of Taiwanese organisations across different industries has highlighted how ongoing political tensions continue to have a significant impact on the global cybercrime landscape, posing particular risks to education, manufacturing and critical infrastructure.

The methods adopted by Flax Typhoon also risk being deployed in attacks beyond Taiwan, posing severe risks to wider international security. The group favours Living Off the Land (LOTL) techniques, a method that does not require file installs, code or scripts, that is becoming increasingly popular due to its difficult to detect.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “After two record months for ransomware attacks, the fall in attacks in August was to be expected. The number of victims in June and July was somewhat inflated by the huge success that Cl0p had exploiting the vulnerability in the MoveIT platform. This being said, the number of recorded victims in August were still significantly higher than this time last year.

“In our Threat Spotlight, we highlight the ever-persistent threat of cyber espionage by Nation State Groups and look specifically at the activities of China against Taiwan. What we do know is that there is historical evidence that tactics techniques and procedures are shared by multiple threat Groups in China. As such, with any new campaign it is a necessary reminder to governments and businesses alike that we must remain alert to the activities of threat actors so that we can better prevent and protect against possible intrusion.”

Contact

NCC Group Press Office

All media enquires relating to NCC Group plc.

press@nccgroup.com

+44 7721577574