NCC Group Monthly Threat Pulse - January 2024

2024 marks the most active January for ransomware attacks in three years.

• Total ransomware cases in January 2024 fell by 27% from December.
• 8base (10%) and Akira (9%) climb the ladder towards most prominent threat actor.
• Industrials (34%), Consumer Cyclicals (16%), and Technology (10%) were the most targeted sectors.
• North America and Europe were targets for 86% of all cases.

February 2024 - In January 2024, global levels of ransomware attacks fell by 27% from December, with a total of 285 cases compared to 391 in the previous month, according to NCC Group's December Threat Pulse.

However, year-on-year ransomware attacks in January continue to rise. Data from January 2024 shows that levels of ransomware attacks were up 73% from 2023 and 138% from 2022, marking a steep upward trajectory of attack volume over the last three years.

8base and Akira climb the ladder toward the most prominent threat actor.

While Lockbit was responsible for 64 cases (22%), maintaining its position as the most prominent threat actor, 8Base (10%) and Akira (9%) climbed from fourth and eighth to second and third, respectively. This marks a notable increase from December.

Black Basta, BianLian, and Medusa are in fifth, sixth, and eighth positions with 19 cases (7%), 17 cases (6%), and 13 cases (5%), respectively. However, none of these groups were part of the top ten in December, marking a significant reshuffle of key players.

Attack numbers continue to fall across every region.

Unsurprisingly, North America and Europe remain the two most targeted regions in January, with 86% of global attacks between them. North America experienced 59% (169) of all attacks, down 15% from 199 in January. With 75 attacks in January, Europe saw a 34% decrease.

Asia is the third most targeted region for ransomware in January. The scale of the attacks the region observes, however, pales in comparison to Europe and North America. Asia suffered only 22 total attacks, down 41% from December's 47 attacks, representing under 8% of the global total.

Industrials dominate sector attacks.

January's top 4 sectors attracting ransomware attacks replicate those from December 2023, with Industrials dominating the landscape accounting for 34% (96) of the 285 attacks seen this month.

Consumer Cyclicals came in significantly lower in the second spot, with 16% (46); Technology is in third place with 10% (28), and Healthcare retained fourth position with 8% (24) of all attacks in January.

It is worth noting that this year the Industrials sector has started with a significantly higher volume of attacks (96), representing a 96% uplift year on year.

January's stats show that a whole range of sectors were vulnerable to attacks. Outside the top 4, Consumer Non-Cyclicals and Basic Materials rose significantly to 5th and 6th place, respectively.

Spotlight – Hydradynamics

Despite malware family Hydra's notable activity last month, January showed activity indicators going down. The numbers show only one "hydra head" as active, albeit persistently so, namely, an ongoing campaign targeting financial institutions in the DACH region.