NCC Group Monthly Threat Pulse - June 2022

• Ransomware attacks decreased by 42% in June, compared to the previous month
• Industrials (37%), Consumer Cyclicals (18%), and Technology (11%) remain most targeted sectors
• Lockbit 2.0 most active attacker (55 victims), but decreasing as Lockbit 3.0 is established (4 victims)
• Attacks by Conti fall 94% as group disbands

The ransomware threat scene continues to evolve with the newly established Lockbit 3.0 making its mark and Conti, recording just 1 attack in June, as reported by NCC Group’s Strategic Threat Intelligence team.

Continuing the recent trends on number of attacks carried out, the amount overall fell from 236 in May to 135 in June, representing a 42% overall decrease.

Despite seasonal variations possibly being at play, the reduction in activity is most likely due in part to the recent disbanding of Conti, along with the retirement of Lockbit 2.0 and subsequent appearance of Lockbit 3.0.

Sectors

Sector trends continued the usual pattern with the most targeted sectors in June being Industrials, making up 37% of ransomware attacks, followed by Consumer Cyclicals (18%), and Technology (11%).

Regions

From a regional perspective, Europe remained the most targeted region for the second month in a row with 41% of attacks compared to North America’s 36%.

Threat actors

Lockbit 2.0 remained the top threat actor, however the number of attacks decreased from 95 to 55 attacks, likely due to the transition to its Lockbit 3.0 variant. Despite this, Lockbit 2.0 remained the clear leader, with 244% more attacks than the second top threat actor Black Basta (16 victims).

Meanwhile, Conti was responsible for 94% less ransomware attacks than it was in May, with just one recorded attack, as the ransomware group disbands and begins to integrate itself with other, smaller groups, as discussed in the May Threat Pulse.

Spotlight on Lockbit 2.0/3.0

Even as the number of ransomware attacks from Lockbit 2.0 has reduced, the group continues to be at the forefront of the threat landscape and the most prominent threat actor.

Reduction in Lockbit 2.0’s activity is likely due to the group’s transition to a new alias Lockbit 3.0 - or LockBit Black, as the group has dubbed it themselves - meaning its attention towards attacks has been divided.

When Lockbit 3.0 has been fully established, it is expected that the threat actor’s volume of attacks will increase. This is supported by the fact that its top targets remain industrials (45%), consumer cyclicals (16%), and technology (11%), despite it being in a transitionary phase.

Matt Hull, global lead for strategic threat intelligence at NCC group, said: “This month’s Threat Pulse has revealed some huge changes in the ransomware threat scene. As long reigning top threat actor Conti has all but disappeared and Lockbit 3.0 rises to prominence, it is clear we are in a transitionary phase. Organisations should not take the overall drop in ransomware attacks at face value and will need to remain ever vigilant.

“We anticipate that the volume of attacks will increase over the coming months as threat actors such as Lockbit and Black Basta regain focus, a reminder that this is an ever-changing landscape that needs to be monitored continuously. In particular, companies operating in the industrials space should be on high alert, as this sector continues to be the top target for ransomware attackers.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our next quarterly Threat Monitor webinar here.