Ransomware attacks stabilise in April - NCC Group
The number of victims of ransomware attacks appears to have stabilised during April 2022, according to NCC Group.
There were 288 ransomware attacks in April, a small increase on March, with North America (46%) the most targeted region, followed by Europe (33%). Industrials (35%) Consumer Cyclicals (19%), and Technology (10%) were the most targeted sectors.
NCC says this levelling out of attacks may suggest that ransomware groups may have reached their optimum level of activity this year. However, the number of ransomware incidents per month continues to be higher than in 2021.
The most targeted sectors in April were industrials, making up 35% of attacks, followed by consumer cyclicals, making up 19% of attacks. With similar results to March, it remains clear that there is an unrelenting interest in these sectors from ransomware threat actors.
Similarities between the sectors may reveal why they are popular victims of ransomware groups. For example, the fact that these sectors work with a vast and diverse clientele means that the pressure on the victim – and therefore the impact of the ransomware campaign – is larger.
In addition, North America continues to be the most targeted sector, making up 46% of attacks, followed by Europe, which made up 33% of attacks. Together, the two regions are the target of the majority of attacks, reflecting the ever-present threat to organisations in these regions.
There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, victims of CL0P increased massively, from 1 to 22.
Spotlight on CL0P
CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April.
The most targeted sector for CL0P was industrials, which made up 45% of CL0P's attacks, followed by technology with 27%. This is consistent with Lockbit and Conti's sector targeting, however, they have a slightly greater interest in the technology sector, perhaps following the recent victimisations of tech giants such as Samsung and Nvidia.
While it is hard to predict whether CL0P attacks will continue to increase, the NCC Group team says it will continue to monitor the threat actor's activity as it happens.
"Although ransomware attacks appear to have steadied, the number of attacks in April is still relatively high compared with previous years," says Matt Hull, global lead for strategic threat intelligence at NCC Group.
"It is still critical that organisations – especially within the most highly targeted sectors – remain vigilant, and prepare themselves with the appropriate security measures," he says.
"North America has been the most targeted region of double extortion ransomware attacks for some time now – so organisations in this country should be as stringent as possible with security measures," says Hull.
"Although there was a small decline of attacks in Europe, organisations should still remain on high alert to the risk of ransomware campaigns.
"The increase in CL0P's activity seems to suggest they have returned to the threat landscape. Organisations within CL0P's most targeted sectors – notably industrials and technology – should consider the threat this ransomware group presents, and be prepared for it.