LockBit Most Prominent Ransomware Actor in May 2024
The notorious LockBit group has reemerged to become the most prominent ransomware actor in May 2024, according to a new analysis by NCC Group.
LockBit 3.0 returned to the fold in May to launch 176 ransomware attacks, 37% of the total number for the month. This represents an enormous 665% month-on-month increase for the ransomware-as-a-service (RaaS) gang.
LockBit’s activity in May was higher than the next most prominent groups: Play, which was responsible for 32 attacks (7%), and RansomHub with 22 attacks (5%).
The resurgence follows a period of LockBit being dormant following the global law enforcement operation, known as Operation Cronos, which took down key infrastructure used by the group in February 2024.
At the time, a number of experts warned that LockBit operators were likely to evolve and resurface at some stage if no arrests were made. In February 2024, a LockBit admin published a long message admitting negligence in enabling the law enforcement takedown, but insisted they were resuming their ransomware business, creating a new leak site.
Prior to the law enforcement takedown, LockBit dominated the ransomware landscape.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said that the new figures show that speculation that LockBit 3.0 would dissolve following Operation Cronos, as has happened with other threat groups like Hive, could be incorrect.
“It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organization,” commented Hull.
“The coming months will reveal whether LockBit can sustain the attack figures recorded in May, and our threat intelligence team at NCC Group will be keeping a close eye on the group’s activity,” he added.
NCC Group found that several new groups entered the list of top 10 threat actors in May. This includes Dan0n, initially spotted in April, in 8th position with 13 attacks, and newly established operator Arcus Media in 10th with 11 attacks.
Read here: #Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”
Overall, global ransomware attacks rose by 32% month-on-month (356 to 470), and by 8% year-on-year (435 to 470).
Industrials the Most Targeted Sector
NCC Group’s Threat Pulse report for May found that industrials was the sector most targeted by ransomware actors, making up 30% of attacks.
The 143 attacks targeting this industry was significantly higher than in April, when industrials faced 116 attacks, but a similar proportional share.
The second most targeted industry in May was technology, which also saw a significant increase in attacks month-on-month, from 49 to 72, a 47% rise.
The researchers said this increase was driven by the value of its data and intellectual property, substantial financial resources, and the rich environment of data and connected devices in tech companies.
The report also highlighted notable regional ransomware attack trends. The proportion of total global attacks targeting North America declined from 58% to 49% month-on-month, while attacks in Europe grew by 65% in the same period.
There were significant increases in the proportion of attacks targeting South America and Africa from April to May – from 5% to 8% in South America, and 3% to 8% in Africa.
NCC Group believes this trend could be due to these regions being used as a “proving ground” to test the viability of new malware packages and attack methodologies.
