Ransomware attacks spike almost 53% in March, says NCC Group

The number of victims of ransomware attacks increased by 53% in March to 283, as compared to February’s 185, according to NCC Group’s strategic intelligence team. This represents a 38% growth in attacks from the same period last year (March 2021: 204 incidents).

The Group’s monthly Threat Pulse also suggests the increase in attacks represents a move out of a lull in attacks witnessed in December and January. 

In addition, after North America and Europe suffered an equal number of attacks in February, March represents a return to normalcy, with North America once again reporting the most attacks (44%). Europe returns to its position as the second most targeted region, at 38% of attacks, demonstrating the dominant threat facing organisations across the two continents.

The most targeted sectors in March were once again industrials, making up 34% of attacks, followed by consumer cyclicals, which made up 21% of attacks. This growth in attacks activity indicates a clear trend in targeting activity by sector. 

There continues to be a pattern of fluctuating increases in other sectors, as observed over the past 6 months. The basic materials sector, for example, experienced a 25% decrease in February followed by a 66% increase this March.

Key threat players remained consistent in March, with Lockbit 2.0 and Conti responsible for a substantial 59% of the total number of incidents reported.

Lockbit 2.0 remains the most notable player, accounting for 96 of the 283 attacks identified. As in February, Industrials remains Lockbit 2.0’s dominant target, with 34% of its attacks being within this sector. 

Conti remains the second largest player with 71 attacks. However, the third largest threat actor was Hive, replacing BlackCat (the third largest player in February). Hive accounted for 26 incidents in March – slightly more than BlackCat’s 23.

Spotlight on Lapsus$ Group 

First appearing publicly in December 2021, Lapsus$ has gained notoriety over the last four months, thanks to multiple successful breaches of large enterprises, and remained active in March.

Lapsus$ does not use encryption methods within its operations, meaning it is not classified as a traditional ransomware group. Rather, Lapsus$ should be considered as an extortion group, employing  a ‘hack and leak’ approach to target the confidentiality of victims’ data. 

The group relies on social media platforms to operate, using Telegram to announce its victims, and posting recruitment messages on Reddit.

Matt Hull, global lead for strategic threat intelligence at NCC Group, said: “We can see that ransomware attacks are continuing to spike as the year progresses, showing just how critical it is for organisations to have the appropriate security measures in place to protect themselves. Those working within industrials should be especially vigilant, given how trends show this sector continues to be the most frequently targeted.”

“It’s also interesting to see North America return to its position as the most targeted victim of double extortion ransomware attacks – a ‘return to normalcy’ of sorts, as the region had been on equal footing with Europe for attacks last month. By tracking these patterns, both by sector and regionally, we can monitor the organisations that are potentially at increased risk and should therefore prepare and defend against possible attacks.” 

“Though not the most active player, the continued growth in attacks from Lapsus$ goes to show the ever-evolving nature of the threat landscape, and the high-profile nature of its victims reiterates how organisations of all sizes are at risk within it.”