- In July, there were 198 reported ransomware attacks, a considerable increase from the 159 logged in July 2021 and a month-over-month and year-over-year increase.
- Additionally, the rise contradicts a generally reliable seasonal trend that witnessed a reduction in ransomware activity from May through June into July.
- This is corroborated by data from the consulting company NCC Group, whose Strategic Threat Intelligence team observed a 45% increase in ransomware attack occurrences for July over the same time last year.
This summer, ransomware operators are back with a fury as monthly assault volumes rise during a period when they usually decline.
The number of ransomware attacks increased MoM and YoY in July
This is supported by statistics from the consulting firm NCC Group, whose Strategic Threat Intelligence team noted a 45% rise in ransomware attack events for July over the same period last year. An increase from June’s 135 attacks to 198 attacks was seen by researchers.
According to NCC Group experts, some prominent ransomware gangs that had previously been hiding out have returned, which has led to an increase in attacks. Having increased their numbers and improved their tactics, those gangs reappeared in July with a vengeance.
“Following the considerable decrease from May to June (from 236 to 135), it is likely that the threat actors that were undergoing structural changes, such as the Conti operators and LockBit, have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction,” stated the NCC Group analysts.
Along with Conti and LockBit’s comeback, July saw the emergence of a few new ransomware operations. In a month where ransomware attacks increased from five in June to 23 in July, HiveLeaks ransomware operators particularly increased their efforts. With regard to monthly attacks, this was sufficient to move HiveLeaks up from seventh to second.
The most widely used ransomware variation, ahead of HiveLeaks, is still LockBit 3.0. The third-placed malware, Black Basta, was followed by Alphv and Clop, making up the top five.
“This month’s Threat Pulse has revealed some major changes within the ransomware threat scene compared to June, as ransomware attacks are once again on the up. Since Conti disbanded, we have seen two new threat actors associated with the group, Hiveleaks and BlackBasta, take top position behind LockBit 3.0. It is likely we will only see the number of ransomware attacks from these two groups continue to increase over the next couple of months,” said, Matt Hull, Global Head of Threat Intelligence at NCC Group.
The industrial sector was by far the most frequently targeted, with professional and commercial services being the most preferred victims, followed by building and engineering operations.
“Following two major cryptocurrency heists, Lazarus Group seem to be improving their crypto-theft and ransomware operations, so it is more important than ever to monitor their activity closely. Cryptocurrency organisations in the US, Japan and South Korea should remain on high alert,” he added.
Ransomware operators are driven to the vast attack surfaces that most industrial networks offer, according to NCC Group experts.
“Industrials is a sector that continues to be heavily targeted and successfully compromised due to its broad range of industries within, the costliness of operational disruption, and its vast distribution of operational technology and legacy systems,” said NCC Group.
The number of ransomware attacks increased month over month and year over year in July, with 198 documented ransomware attacks representing a significant rise from the 159 logged in July 2021.
The increase also breaks with a fairly consistent seasonal pattern that saw ransomware levels decline from May and June into July. The analysts pointed out that the development might not have been an isolated anomaly.
“As July’s increase takes place just after Conti’s integration into alternative ransomware groups (such as Black Basta) and LockBit’s third metamorphosis, it is likely that this year-on-year disparity is as a result of this,” explained NCC Group analysts. “No such activity was taking place in 2021, and as a result, June-July of 2021’s figures were possibly representative of general seasonal changes in activity,” they added.