Ransomware attacks up 81% year-on-year in October

• Overall ransomware activity fell in October by 34% from record breaking September.
• Industrials (33%), Consumer Cyclicals (16%), Healthcare (10%) most targeted sectors.
• North America remains most targeted region (52%), followed by Europe (29%) and Asia (10%).

November 2023 – October’s ransomware attack levels saw a 34% decrease from a record monthly high in September, according to NCC Group’s October Threat Pulse.

Despite the fall from September, the data reveals an 81% year-on-year increase from October 2022, and with two months left of the year, contributes to figures that ransomware gangs have already claimed over 50% more victims than in 2022.

Top threat actors remain similar, with less undisclosed attacks

The usual suspects remained in the top ten most active threat actors in October, with Lockbit 3.0 retaining the lead with 19% (66) of total attacks. Changes include new players Akira, Medusa and INC Ransom joining the list, and Play and NoEscape climbing from 7th and 8th to 2nd and 3rd.

Interestingly, there was a sharp decline (84%) in undisclosed attacks, falling from nineteen attacks in September to just 3 in October. An explanation for the trend could be the 33% decrease in attacks by the ransomware group BianLian this month (from 24 to 16 attacks). Or alternatively, increased cooperation from BianLian's victims may have resulted in this fall.

A changing playing field for threat actors

Drastically changing from last month, when newcomer LostTrust was responsible for 10% of all ransomware attacks (53), the group claimed no victims at all in October.

October also saw law enforcement takedowns of Trigona and RagnarLocker, removing them from the threat actor landscape. The sale of previous key player, RansomedVC, also contributed to drop in total case numbers.

Prime targets on the Western front

Aligned with previous months, North America was the most targeted region in October, maintaining the same levels (52%) of all attacks in September. Europe took second place with 29% of attacks, while Asia was the third most targeted with 10%.

Bucking the trend of previous months, in September, ransomware attacks on Africa increased from 2 to 4, climbing by 100%.

Healthcare joins top three most targeted sectors

In October, Industrials remained the most targeted sector, accounting for one third of all attacks, despite the volume decreasing from 170 last month to 114 in October. The volume of personally identifiable information (PPI) and intellectual property (IP) in the sector, as well as typically large attack surfaces make Industrials a goldmine for malicious attackers.

Consistent with trends, consumer cyclicals maintained its position of being the second most targeted sector.

After seeing attacks on healthcare ramp up last month, a 50% decrease in attacks on the Technology sector (52 in September to 26 in October) saw Healthcare become the third most targeted sector.

Spotlight – Threat actors using Antidetection tools in their arsenal

In the realm of digital deception, antidetection emerges as a powerful tool, allowing for the analysis, replication, and exploitation of digital behaviour while evading detection. One notable player in this covert game is the antidetection browser, commonly known as 'antik,' which enables the creation of numerous unique browser user profiles across multiple tabs without triggering the scrutiny of anti-fraud systems.

Antik employs clever tactics to conceal the primary system's fingerprint, helping users to manipulate aspects of their browser connection. This includes assuming the identity of another device and profile, thereby staying under the radar of websites that scrutinize visitor data to construct user profiles for data protection and fraud prevention.

The fingerprint created by antidetection tools comprises identifiable data such as device specifications, processor type, RAM details, screen settings, and hardware configurations.

The widespread and legitimate availability of tools such as antidetection browsers empowers threat actors, leading to a systemic issue of exploiting end users and compromising data and connection points. This accessibility contributes to the persistence of cybercrime, resulting in annual financial losses and increasing the potential for larger and more pervasive cyber threats.

Matt Hull, Global Head of Threat Intelligence at NCC Group said:

“The decrease in attacks from September shouldn’t give us a false sense of security. We often see a reduction in attacks after a record month, such as was experienced in September. Moreover, the dramatic increase of attacks from the same time last year is significant and even with 2 months left of 2023, ransomware gangs have already claimed over 50% more victims than last year. However, seeing global political buy-in for North America’s International Counter Ransomware Initiative, is a welcome development in the fight against ransomware.

“In the current turbulent climate, both economically and geopolitically, threat actors are looking for new ways to make money. Malicious groups are making use of an ever-increasing abundance of tools, such as anti-detection software such as Antik. These tools as well as being used for legitimate means, provide opportunities for malicious actors, and make it harder for defenders to track down and prevent and detect attacks. As always, this highlights the need for organisations to continue to take on robust cybersecurity measures to counteract these insidious practices.”