LockBit, RansomHub Lead Ransomware Attacks in July
Global ransomware attacks surged by 19% in July compared to June, climbing from 331 to 395 incidents, according to the latest data from NCC Group.
RansomHub emerged as the most active threat actor in July, with a 59% increase in attacks over the previous month, accounting for 11% of all ransomware activity.
LockBit 3.0 also saw a dramatic rise in activity, with a 236% increase in attacks, making it the second most active cybercriminal group in July.
Despite this uptick, the figures represent a 21% decline from July 2023, when 502 attacks were recorded.
Akira followed as the third most active gang, with a 45% increase in attacks from June. The report highlighted a significant geographic shift in targeting, with ransomware incidents outside North America rising sharply.
Oceania experienced a 120% increase, South America saw a 29% rise, and Africa reported a 50% increase in attacks.
The hotels and entertainment sector within consumer verticals was particularly hard hit during the summer, making it the most targeted sector for ransomware attacks in July.
TTPs Continue to Evolve
Matt Hull, global lead for strategic threat intelligence at NCC Group, said the tactics, techniques, and procedures (TTPs) of ransomware actors continue to evolve to improve the likelihood of success, evade detection or improve efficiency, as such defenders are often left playing catch up.
“As defenders become more successful in preventing attacks, criminals identify new avenues to achieve their goals, and this perpetuates this cycle,” he said.
He added in recent years ransomware attacks have been an ever-present danger, warranting international law enforcement intervention and government legislation to limit the activities of these groups and discourage ransom payments.
“This has resulted in some significant takedowns of notorious ransomware groups by law enforcement,” Hull said. “Organizations are also more aware of the threat and have bolstered their defenses.”
This has resulted in a decline in the average ransom payout, but the attackers continue to adapt their approach.
One such approach includes the use of infostealers–Trickbot, Conti and LockBit have been linked to infostealers.
This includes the use of Vidar and LummaC2 infostealers as well as LockBit’s expressed interest in purchasing the Racoon Stealer source code.
InfoStealers Result in Data Breaches
Infostealers have been making headlines due to their role in harvesting valid corporate credentials, leading to significant data breaches.
Hull pointed out that the recent CrowdStrike incident, involving a content configuration update for the Falcon Sensor in Windows, which led to global IT outages, was exploited by threat actors using a false recovery repair manual to lure victims to install information-stealing malware.
“The use of info stealers has increased recently, and this is unsurprising given that they reduce the burden on criminals wishing to gain access to organizations and their networks,” he said.
He explained it is far easier, faster, and often cheaper to use stolen valid credentials to access a network than it is to find usable exploits and leverage these for initial access.
Ian Usher, deputy global head of threat intelligence for NCC, said the rise in sophisticated techniques, such as the use of information stealer malware in their pre-attack phase highlights that cybercriminals are not standing still.
“As these threats evolve, so must our defenses,” he said. “It’s crucial that we leverage the latest technologies and maintain robust, intelligence-driven security measures to stay ahead, or risk falling behind in this ever-escalating battle.”
Hull added threat actors, no matter how capable they are, continue to have success by exploiting basic failings in security controls–poor password management policies, unpatched systems and social engineering to name a few.
“This is where cyber security fundamentals are essential,” he said. “Patch management, strong password management and policies, implementation of MFA, robust detection and monitoring capabilities, and of course user awareness against social engineering.”