Skip to content
NCC Group Monthly Threat Pulse – August 2022
NCC Group Monthly Threat Pulse – August 2022

News -

NCC Group Monthly Threat Pulse – August 2022

  • Lockbit 3.0 (64 victims) most active attacker, followed by BlackBasta (18 victims)
  • New threat actor IceFire emerges, with 10 victims
  • Industrials (34%), Consumer Cyclicals (18%) Technology (14%) remain most targeted sectors
  • Ransomware attacks decreased by 19% compared to July

Analysis from NCC Group’s Global Threat Intelligence team suggests a proliferation of new and evolving threat actors in August with the emergence of new threat actor, IceFire and a surge in activity for the most active attacker Lockbit 3.0.

Meanwhile, the number of ransomware attack victims dropped 19% in August, from 198 to 160 incidents. The moderate drop comes after a 47% rise from June to July, with the number of attacks appearing to stabilise since the disbanding of prominent threat actor group Conti.

Threat Actors

As we moved into August, Lockbit 3.0 accounted for 40% of all incidents in August, making it the most threatening ransomware threat actor last month. Its total of 64 incidents reflecting a spike in activity following the rebrand from Lockbit 2.0 in June. In August, the group also announced the implementation of a triple extortion model, and deployed the use of unique and randomised payment links in ransom notes.

Meanwhile, BlackBasta moved up to second position with 18 incidents this month, a 33% reduction in the number of attacks in July. Similarly, the sectors and industries it targeted also changed, with more attacks against the consumer cyclicals sector, with speciality retailers a particular target.

New group IceFire emerged onto the scene in August, amassing 10 victims in its first month of activity. IceFire was a surprise entry to the top three list of threat actors, as other groups such as ALPHV and Hiveleak reduced their activity. While there is little information about the group, its high volume of attacks suggests its operators have prior experience in the ransomware space. Technology was its most targeted sector, accounting for 90% of total attacks, with the software and IT services industries accounting for 80% of these victims. The majority of victims offer web hosting services, suggesting the group is a highly selective addition to the threat landscape.


Sector trends remained consistent with previous months, with industrials continuing to be the most targeted sector with 55 incidents (34%), followed by consumer cyclicals (18%), and technology organisations (14%).


From a regional perspective, North America (45%) claimed the spot for the most targeted region for the second month in a row, followed by Europe (40%) and Asia (9%).

Spotlight on Sandworm

This month Sandworm – a state-sponsored Advanced Persistent Threat (APT) group – claim the spotlight following recent global espionage and destruction campaigns that seek to advance Russian foreign policy. Sandworm’s victims span across different sectors, however its most notable attacks have sought to cripple the industrial control systems that power the energy and electrical sectors of its opponents.

Recently, Sandworm has targeted the majority of its attacks on Ukraine as Russia undergoes territorial wars, but the threat actor’s targets do remain global. Historic events include targeting the 2017 French Presidential Campaign, 2018 Winter Olympics in South Korea, and the large-scale attack on cross-sector Georgian websites and servers in 2019.

The motivations behind Sandworm’s attacks appear to be the advancement of Russian interests – making it easier to predict Sandworm’s activities, as they are usually related to global events Russia may react to. Other motivations may be the group looking to advance its relative position amongst other Russian intelligence agencies through undertaking high-risk/high-reward operations.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “While there is a slight reduction in the volume of attacks in August, there have been some considerable changes amongst threat groups in particular. Lockbit 3.0 appears to be re-establishing its operations since rebranding in June, while Conti-affiliated BlackBasta looks to be establishing itself within the ransomware landscape following Conti’s operations rebranding.

“Meanwhile, we saw new threat actor IceFire burst onto the scene with a string of attacks in the latter half of the month. There isn’t much known about the group just yet, but their targeting of organisations that offer web hosting services suggests they are looking to compromise a bigger pool of victims, indirectly. We’ll continue to monitor IceFire’s activity in the coming months to understand their targeting motivations, modes of operating, and any acceleration in number of attacks.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our next quarterly Threat Monitor webinar here.




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom