According to the company’s Global Threat Intelligence team, the number of ransomware attack victims dropped 19% in August, from 198 to 160 reported incidents, continuing a trend from July, when ransomware attacks dropped 47% from the previous month due in part to the disbanding of ransomware group Conti.
This also continues the downward trajectory in ransomware attacks that NCC Group has reported since the spring. In addition to Conti, the company says other groups such as ALPHV and Hiveleak have also scaled down attacks, making LockBit the only consistent presence in the threat landscape last month.
According to the company, Lockbit 3.0 accounted for 40% of all incidents in August, making it the most threatening ransomware group last month. The ransomware gang’s 64 incidents reflect a spike in activity following the rebrand from Lockbit 2.0 in June.
NCC Group notes that a new threat actor, IceFire, has emerged onto the scene, amassing 10 victims in just its first month of activity and making NCC Group’s top three list of threat actors for August. Little is known about the group, but its high volume of attacks in an indicator that the group is made up of operators with prior experience in the ransomware ecosystem.
Technology IceFire’s its most targeted sector, accounting for 90% of total attacks, with the software and IT services industries accounting for 80% of these victims. The majority of victims offer web hosting services, suggesting the group is a highly selective addition to the threat landscape, according to NCC Group.
“While there is a slight reduction in the volume of attacks in August, there have been some considerable changes among threat groups in particular,” says Matt Hull, global head of Threat Intelligence at NCC Group. “Lockbit 3.0 appears to be re-establishing its operations since rebranding in June, while Conti-affiliated BlackBasta looks to be establishing itself within the ransomware landscape following Conti’s operations rebranding.”
Overall, industrials continue to be the most targeted sector with 55 total incidents (34%) in August, followed by followed by consumer cyclicals (18%), and technology organizations (14%).
The company also highlighted Sandworm, a state-sponsored threat actor aligned with Russian state interests that has recently been focusing its attacks on Ukraine.