NCC Group Monthly Threat Pulse – Review of June 2024

Steep decline in LockBit 3.0 attacks sees reduced ransomware levels across June

• Total ransomware cases in June were lower than the average for the year, at 331 attacks.
• LockBit 3.0 showed a significant decrease in activity, with only 11 attacks.
• Industrials remains the most targeted sector, accounting for 31% of attacks in June.
• North America and Europe accounted for 79% of all cases.

June 2024 – Global levels of ransomware attacks sunk below the average number of yearly attacks for the first time since January. There was a total of 331 attacks across the month, according to NCC Group’s Threat Pulse.

Those figures represent a decrease from previous months in 2024, with bigger players thought to be becoming increasingly cautious due to increased international law enforcement efforts to tackle ransomware activity.

LockBit 3.0 on the decline

LockBit 3.0 activity fell to a mere 11 attacks in June, with Play taking the reins as the most prolific threat actor in June, with 35 total attacks.

RansomHub followed with 27 attacks. It is perhaps unsurprising given recent Microsoft reports that cybercrime group Octo Tempest, also known as Scattered Spider, has incorporated RansomHub as well as Qilin into its arsenal.

Data also revealed that Akira RaaS took the third spot with 20 attacks and Cactus was responsible for 18 attacks in June. Other threat actor activity levels, such as Medusa and BlackSuit, remained consistent with previous months.

A decrease in global attacks, though the same regions remain at risk

North America remained the most targeted region, representing 52% of total global attacks (173). Europe followed with 27% of attacks (90), with Asia witnessing 27 attacks (11%).

Industrials continues to be highly targeted

The distribution of attacks across sectors showed notable variations, indicating a potential shift in cybercriminal targeting strategies.

The Industrials sector remains the most targeted sector, accounting for 32% of attacks in June, with Technology (50 attacks) and Consumer Cyclicals (46 attacks) close behind.

The Government sector saw 10 attacks in June, a declining amount from previous months which could be attributed to the Operation Cronus crackdown on LockBit 3.0, who had been prevalent in the sector.

Spotlight: The fall of LockBit 3.0

LockBit 3.0 underwent a significant decline in activity in June, likely the result of law enforcement efforts to dismantle the group - notably via Operation Cronos. This demonstrates how successful law enforcement intervention can positively impact the threat landscape. 

There has been speculation that LockBit 3.0 has not actually managed to recover its full operation as a result, reposting data from old victims to create an image of invulnerability to law enforcement efforts. 

LockBit 3.0’s absence has created a huge void in the ransomware threat landscape, and a future resurgence to the group’s previous heights is dependent on whether it can make an unwelcome return. Other ransomware groups may well take advantage of the power vacuum.

Matt Hull, Global Head of Threat Intelligence at NCC Group said:

“Overall, June's ransomware landscape was characterised by ongoing shifts, with LockBit 3.0's steep decline, and Play remaining a formidable force in the threat landscape.

“The cyber threat landscape in the first half of 2024 has been marked by a series of significant events that have had a profound impact on global cybersecurity. We have seen major cyber incidents that have disrupted businesses, healthcare systems, and critical infrastructure across North America, Europe, and Asia Pacific region.

“These incidents have ranged from data breaches to aggressive ransomware attacks, highlighting the evolving nature of cyber threats and the increasing capabilities of cyber adversaries. Equally, we’ve seen how external pressures on ransomware operations can significantly disrupt even the most prolific threat actors. These changes underscore how cyber security resilience must persist as a key priority for organisations across all industries.”