NCC Group Monthly Threat Pulse – April 2022
- 288 ransomware attacks in April, a small increase on March
- Industrials (35%) Consumer Cyclicals (19%), and Technology (10%) most targeted sectors
- North America (46%) most targeted region, followed by Europe (33%)
- Lockbit 2.0 (103 victims) and Conti (45 victims) most active threat actors
- CL0P returns to the threat landscape with 21 victims
The number of victims of ransomware attacks appears to have stabilised this last month, according to NCC Group’s strategic threat intelligence team. In total, it observed 288 attacks in April 2022, a minor increase on the 283 observed in March.
This levelling out of attacks may suggest that ransomware groups may have reached their optimum level of activity this year. However, the number of ransomware incidents per month continues to be higher than in 2021.
The most targeted sectors in April were industrials, making up 35% of attacks, followed by consumer cyclicals, making up 19% of attacks. With similar results to March, it remains clear that there is an unrelenting interest in these sectors from ransomware threat actors.
Similarities between the sectors may reveal why they are popular victims of ransomware groups. For example, the fact that these sectors work with a vast and diverse clientele means that the pressure on the victim – and therefore the impact of the ransomware campaign – is larger.
In addition, North America continues to be the most targeted sector, making up 46% of attacks, followed by Europe, which made up 33% of attacks. Together, the two regions are the target of the majority of attacks, reflecting the ever-present threat to organisations in these regions.
There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, victims of CL0P increased massively, from 1 to 21.
Spotlight on CL0P
CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April.
The most targeted sector for CL0P was industrials, which made up 45% of CL0P’s attacks, followed by technology with 27%. This is consistent with Lockbit and Conti’s sector targeting, however, they have a slightly greater interest in the technology sector, perhaps following the recent victimisations of tech giants such as Samsung and Nvidia.
While it is hard to predict whether CL0P attacks will continue to increase, the NCC Group team will continue to monitor the threat actor’s activity as it happens.
Matt Hull, global lead for strategic threat intelligence at NCC Group, said: “Although ransomware attacks appear to have steadied, the number of attacks in April is still relatively high compared with previous years. It is still critical that organisations – especially within the most highly targeted sectors – remain vigilant, and prepare themselves with the appropriate security measures.”
“North America has been the most targeted region of double extortion ransomware attacks for some time now – so organisations in this country should be as stringent as possible with security measures. Although there was a small decline of attacks in Europe, organisations should still remain on high alert to the risk of ransomware campaigns.”
“The increase in CL0P’s activity seems to suggest they have returned to the threat landscape. Organisations within CL0P’s most targeted sectors – notably industrials and technology – should consider the threat this ransomware group presents, and be prepared for it.”
Keep up to date with our latest insights
Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our next quarterly Threat Monitor webinar here.