Lockbit is by far the most prolific ransomware group this summer, followed by two Conti offshoots.
Following a recent decline, ransomware attacks are once again on the rise. According to data released by NCC Group, old ransomware-as-a-service (RaaS) groups are leading the resurgence.
Using data collected by “actively monitoring the leak sites used by each ransomware group and scraping victim information as it is released,” researchers determined that Lockbit was by far the most prolific ransomware group in July, responsible for 62 attacks. This is ten more than the previous month and more than double the number of the second and third most prolific groups combined. “Lockbit 3.0 maintain its position as the most dangerous ransomware group,” the authors wrote. “All organizations should be aware of this threat.”
The second and third most prolific groups are Hiveleaks and BlackBasta, with 27 and 24 attacks, respectively. Since June, each of these groups has experienced rapid growth, with Hiveleaks increasing by 440 percent and BlackBasta by fifty percent.
There is a strong possibility that the resurgence of ransomware attacks and the rise of these two groups are intimately related.
Why Ransomware Has Gained Ground
In July, NCC Group researchers identified 198 successful ransomware campaigns, a 47 percent increase from June. Despite the steepness of this incline, it still falls short of the Spring record of nearly 300 such campaigns in both March and April.
Why the Flux?
In May, the United States government increased its efforts against Russian cybercrime by offering up to $15 million for information about Conti, the then-leading ransomware gang in the world. The authors of the report hypothesized that threat actors that were undergoing structural changes had begun settling into their new modes of operation, increasing their total compromises.
The result of this restructuring is Hiveleaks and BlackBasta. The authors noted that both groups are “associated with Conti,” Hiveleaks as an affiliate, and BlackBasta as a replacement strain. “Accordingly, it appears that Conti’s reemergence into the threat landscape, albeit under a new guise, did not take long.”
Now that Conti’s has been properly split in two, the authors hypothesize that “it would not be surprising to see these numbers rise further in August.”
