LockBit 3.0 remains the most active threat actor as ransomware
In a surprising finding, a new report from NCC Group plc finds that the number of ransomware attacks dropped in January from December, but the number of attacks was still the highest for January in three years.
The NCC Group Monthly Threat Pulse for January 2023 details 165 ransomware attacks in January, down 38% from December 2022. Lockbit 3.0 was found to remain the most active threat actor, with 50 attacks, 30% of those detected. Vice Society sat in second place with 13% of attacks, followed by Blackcat at 12%.
Lockbit 3.0, which emerged midway through last year, targeted 32% of its attacks against the industrial sector, followed by consumer cyclicals at 16% and technology organizations at 14%. By contrast Vice Society, a Russian ransomware-as-a-service group, targeted 45% of their attacks at academic and educational services.
BlackCat had a broader attack range, with 25% of its attacks targeting the industrial sector, followed by basic materials, healthcare and consumer cyclicals, each hitting 15% of the group’s targets.
By region, North America topped the ransomware attack list in January, attracting 41%, or 68 attacks, followed by Europe at 34% and Asia at 12%. By sector, industrials attracted 30% of attacks, followed by consumer cyclicals at 15% and academic and education at 11%. The report notes that it was the first time in a year that academic and education had surpassed the technology and government sectors into third place, driven by a spike in activity from Vice Society.
The report also highlights the rise of threat actor “AcridRain.” The group first emerged in October 2022 and has started to gain traction with a revamped “infostealer,” which is malware designed to steal victim information, including passwords.
The new iteration of malware from AcridRain is described as “one to look out for,” since it rebrands itself to fit the current “market” standard functionality of infostealers. This is said to allow the group to refocus on targeting cryptocurrency and crypto wallets specifically, renting out stealer software to other actors. NCC Group expects AcridRain to evolve further and develop its operations, capability and reach over the coming months.
“January observed a steady amount of ransomware attacks, which is close to what we expect for this period of the year,” Matt Hull, global head of Threat Intelligence at NCC Group, said in a statement. “Having said that, the total volume of ransomware attacks recorded this month is higher than we’d normally see in January, an indication of how ransomware attacks are on the rise generally.”