NCC Group Monthly Threat Pulse – February 2022

• Ransomware attacks increased by 52.89% compared to January, with the number of incidents rising from 121 in January to 185 in February.
• The most targeted sectors were industrials (35.68%), consumer cyclicals (21.62%), and technology (8.11%)
• The most targeted regions were North America (42.16%), Europe (42.16%), and Asia (10.27%)
• Lockbit 2.0 remains the most consistent threat actor, accounting for 42.2% of all attacks

NCC Group’s Strategic Threat Intelligence team has identified that the number of victims of double extortion ransomware attacks increased 52.89% between January and February. This increase represents a marked exit from the seasonal reduction in ransomware behaviour observed by the team across December and January.

This pattern echoes NCC Group’s 2021 findings, where a 55.1% increase was observed between January and February. The team assesses that the volume of ransomware incidents will continue to increase as the year unfolds and threat actors get back to ‘work’.

In terms of key threat actors, the top players remained consistent in February. Lockbit 2.0 remains the most persistent contributor with 42.2% of all attacks.

The sector most targeted by Lockbit 2.0 was industrials, accounting for a sizeable 30.77% of their total attacks in February. This remains consistent with attacks in January, when businesses in the industrials sector accounted for 31.7% of their victims.

Conti remains the second largest player with 17.8% of attacks. However, the third largest contributor in February was BlackCat, as opposed to Snatch in January. BlackCat accounted for 11.4% of all attacks – a significant rise on the 5% that they exhibited in January, showing a steady increase in their activity.

Consistent with the team’s findings in January, Industrials was the most targeted sector - making up 35.68% of attacks – whilst consumer cyclicals was the second most targeted sector with 21.62% of attacks. NCC Group analysis suggests that the increase in number of attacks in these sectors compared with January was responsible for the overall growth observed by the team this month.

The leading positions of these two sectors reflects wider observations from the last 7 months, suggesting they continue to be seen as highly attractive targets.

As in January, an equal number of attacks were observed in North America and Europe. Last month, this was an abnormal finding, as up until then, North America had adopted a clear leading position. This month, however, the team again observed an equal number of ransomware incidents in the two continents, with both suffering 78 incidents respectively.

Spotlight on Conti Group

There was significant activity across the security community in relation to Conti Group in February.

The group posted a ‘warning’ message on its public facing blog site, officially announcing its full support of the Russian government. This was later amended to state that they are not allied with a government, however they also stated that they will retaliate against any targeting of Russian critical infrastructure, suggesting they are sympathetic to the Russian government.

In response to the incident, an anonymous member of the group released a significant amount of internal communications, screenshots and tactics used by the gang.

Matt Hull, cyber threat intelligence manager at NCC Group, said:

“With ransomware attacks increasing – as would be expected after the seasonal reduction in January – it is vital that organisations continue to ensure they apply appropriate security measures. This is especially important for the Industrials sector, which continues to be the most frequent victim of ransomware.”

“It’s interesting to see a regional trend emerging in Europe and North America, with both regions seeing the same number of victims of double extortion ransomware attacks. By continuing to closely monitor if this pattern persists, we will be able to determine what this means for the wider European threat landscape.”

“The disruption in Conti activities comes as a welcome change, but with clients continuing to come under new attacks, it is clear that this ransomware variant is still very much in use. Our Strategic Threat Intelligence team continues to keep an eye on the use of Conti, and as always will provide updates to our customers to help them manage the risk to their organisations.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our next quarterly Threat Monitor webinar here.