NCC Group Monthly Threat Pulse – Review of April 2024

LockBit 3.0 ends eight-month reign as most prominent threat actor

• Overall ransomware activity declined in April 2024.
• LockBit 3.0 ends its eight-month reign as the most prominent threat actor, with fewer than half the observed attacks in March.
• Industrials (34%) and Consumer Cyclicals (18%) were once again the first and second-most targeted sectors.
• Europe experienced 35% fewer attacks than March 2024.

Global ransomware attacks decreased by 15% from March 2024, following similar trends to 2023. Attacks dropped from 421 to 356, according to NCC Group’s April Threat Pulse.

However, year-on-year ransomware attacks in April increased by 1%, going from 352 in 2023 to 356 in 2024. The takedown of LockBit 3.0 earlier this year was likely a significant contributor to this slight increase.

Major threat actor shake-up

The ransomware landscape has proved turbulent this month. Previously dominant Lockbit 3.0 lost pace, with a significant 60% drop in attacks (23), following its takedown in February.

Play took the top spot with 32 attacks (14%), moving up the ranks since the start of 2024 to become a significant player in the threat landscape. Using double extortion tactics, Play ransomware exfiltrated data and then encrypted systems, using the threatened data exposure to pressure victims to pay.

Hunters moved from 8th position with 18 attacks in March to 2nd most prolific in April, claiming 29 attacks (12%), an increase of 61%, having taken over infrastructure and source code from the defunct Hive ransomware group.

Ransomhub rounded up the top three with 27 attacks (11%). The group has set strict rules for affiliate conduct in a move expected to encourage increased payment from victims who watch other groups take payment but not have their data decrypted.

Ransomware attacks in Europe down 35%.

North America and Europe continued to dominate the total number of regional ransomware attacks, with over 80% of cases, continuing the trend for 2024.

North America experienced 15 fewer attacks in April. However, the decline in attacks across continents has increased the proportion of attacks from 53% to 58%. Conversely, attacks in Europe decreased by 7%, with 42 (35%) fewer attacks.

We expect a shift in trends in South America and Africa. While these regions were in fourth and seventh place, respectively, in April, a recent report stated that developing nations had become a “proving ground” to test the viability of new malware packages and attack methodologies. So, Africa and South America may start to receive more attacks over the year.

Industrials continue to dominate sector attacks.

Industrials remains the most targeted sector since January 2021, having witnessed 116 attacks (34%) in April 2024, down 13 from the previous count of 129.

Despite the overall reduction in observed attacks, Industrials claimed a higher proportion of all attacks in April (33%) than in March (31%). This consistently high number of attacks stems from the high number of vulnerabilities in these industries. Sectors such as production and construction are more likely to pay ransomware actors for data or system access to prevent disruption and downtime.

Consumer Cyclicals came in second, with 62 attacks (18%). This was a reduction of 13 from the 75 attacks witnessed in March, a reduction of just over 17%. This sector was the second most targeted every month (with the exception of May when it came in third place). Threat actors target valuable customer data in sectors such as hospitality and retail to use for future extortion.

Frequent members of the top ten most targeted monthly sectors, Technology, with 49 attacks (14%), and Healthcare, with 29 attacks (9%), were in third and fourth place, respectively.

Spotlight: Vultur Malware – A smart attack on smartphones

Fox-IT, part of NCC Group, has released an in-depth breakdown of some newly found technical features inside Vultur, a nefarious Android banking malware.

It was one of the first Android banking malware families to include screen recording capabilities and contains features such as keylogging and interacting with a victim’s device screen. Vultur mainly targets banking apps for keylogging and remote control. ThreatFabric first discovered Vultur in late March 2021.

The authors behind Vultur have now been spotted adding new technical features. These features allow the malware operator to interact with the victim’s mobile device remotely. This involves interacting with the victim’s screen in a way that is more flexible than using AlphaVNC and ngrok.