NCC Group Monthly Threat Pulse – Review of February 2024

2024 marks the most active February for ransomware attacks in three years.

• Total ransomware cases in February 2024 increased by 46% from January.
• Hunters (10%) and Qilin (9%) climb towards most prominent threat actors.
• Industrials (32%), Consumer Cyclicals (15%), and Consumer non-cyclicals (10%) were the most targeted sectors.
• North America and Europe were targeted regions for 85% of all cases.

In February 2024, global levels of ransomware attacks increased by 46% from January, with a total of 416 cases compared to 285 in the previous month, according to NCC Group's Threat Pulse from last month.

Year-on-year, ransomware attacks continue to rise. Data from February 2024 shows that levels of ransomware attacks were up 73% from 2023 and 124% from 2022, marking a steep upward trajectory of attack volume over the last three years.

Hunters and Qilin climb the ladder toward the most prominent threat actor.

Continuing its seven-month reign, and with nearly double its 64 attacks in January, LockBit 3.0 was responsible for 110 cases (33%) Hunters (10%) and Qilin (9%), both of whom climbed from seventh and tenth to second and third, respectively.

Jointly in third position are BlackCat and Qilin, with 30 cases (9%). Though BlackCat is accustomed to being included in the most active monthly threat groups, Qilin, like Hunters, is relatively new to these activity levels.

BianLian, Play, and 8Base are in fourth, fifth, and sixth positions with 27 cases (8%), 25 cases (7%), and 24 cases (7%), respectively, all of whom were part of the top ten in January.

Ransomware attacks in North America and Europe surged by over 100% year-on-year.

For the second time in 2024, North America and Europe dominate the total number of regional ransomware attacks, with over 85% of cases.

North America experienced 55% (230) of all attacks, up 27% from 169 in February. With 123 attacks in February, Europe saw a 64% increase month-on-month.

In the remaining 15% of attacks, Asia experienced 30, South America 18, Oceania with 7, and finally Africa and undisclosed with just 4 victims each. These figures are mostly consistent with last month's figures, with just 1% differences between some regions.

Industrials continue to dominate sector attacks.

February's top 4 sectors attracting ransomware attacks mirror those of January 2024, bar Technology, which replaced Consumer non-cyclicals in third place- despite a 4% increase month-on-month. Industrials continue to dominate the landscape, accounting for 32% (134) of the 416 attacks observed in February, which, compared to January, represents a significant increase of 40% from 96 cases.

Consumer Cyclicals maintains the second spot with 17% (66) and an increase of 66% from January. Consumer Non-Cyclicals was up two positions in February due to its increase in attacks by 135% (40), accounting for 10% of the total activity observed in the month.

The most significant decrease in attacks came from the Academic & Educational Services sector, which saw a decline of 41% from 17 attacks in January to 10 in February (-7). This sector also saw its position in the list drop three places to tenth, accounting for 2% of observed attacks in the month.

Spotlight: RaaSCycling

Recently, Operation Cronos made waves in law enforcement efforts against global digitally enabled crime, targeting the Lockbit group. Following this, ALPHV (also known as Blackcat), a ransomware group, pulled off an exit scam under the guise of being disrupted by the FBI. Despite these high-profile incidents, smaller threat actors in the cybercriminal space remain motivated. So far this year, over ten new ransomware groups have emerged, with six being advertised on a Russian forum catering to ransomware-related activities. 

Matt Hull, Global Head of Threat Intelligence at NCC Group, said:

"Recent law enforcement activity has the potential to polarize the ransomware landscape, creating clusters of smaller RaaS operators that are highly active and harder to detect due to their agility in underground forums and markets. 

"From our research in various criminal and dark web forums and marketplaces, it appears that the attention drawn by the larger 'brand' ransomware, such as LockBit and Cl0P, is leading to new and small generic RaaS affiliate partnerships becoming the norm. As a result, detection and attribution could become harder, and affiliates may easily switch providers due to low entry thresholds and minimal monetary involvement. 

"For readers, this means maintaining vigilance. As big ransomware gangs continue operating, the anxiety around new and unestablished ransomware-as-a-service threats should not change your approach to defending and mitigating ransomware threats. These Groups, big and small, will likely be using tried and tested tactics, techniques, and procedures.

"We will continue our ongoing research in the dynamics of ransomware groups and, as always, will endeavor to share any intelligence, insights, and new developments in the threat landscape as soon as we are able."