Skip to content
NCC Group Monthly Threat Pulse – January 2023

News -

NCC Group Monthly Threat Pulse – January 2023

  • January saw 165 ransomware attacks, a 38% decrease from December 2022.
  • Lockbit 3.0 remains the most active threat actor with 50 attacks (30%).
  • Industrials (30%), and Consumer Cyclicals (15%) remained the topmost targeted sectors, with the Academic sector (11%) over taking Technology and Government sectors for the first time in 12 months.
  • Regional data follows the same trends as previous months: North America (41%), Europe (34%), and Asia (12%).
  • Threat AcridRain Infostealer had resurfaced after rebranding to fit the current market.

Analysis from NCC Group’s Global Threat Intelligence team has revealed there were 165 ransomware attacks in January, a 38% decrease from December 2022.

Though a significant drop from the previous month, the total is the highest volume of attacks recorded in January over the last three years, (January 2021- 127 attacks, January 2022- 120 attacks) – an indication of the growing prevalence of ransomware attacks generally, as the threat landscape continues to evolve.

Threat actors

In the first month of this year, Lockbit 3.0 retained its position as top threat actor, with 50 victims (30%), followed by Vice Society (13%) and Blackcat (12%) who have remained consistent in their operations.

Following their evolution from Lockbit 2.0 into Lockbit 3.0 halfway through last year, the threat actor was responsible for 50 attacks in January, with its most targeted sectors being Industrials (32%), Consumer Cyclicals (16%), and Technology (14%) organisations.

Vice Society, believed to be a Russian RaaS ransomware group, was the second most prevalent threat actor this month and, in-line with its previous activity, targeted the Academic and Educational Services (45%) sector more than any other in January.

Vice have historically been one of the main ransomware groups that target universities with extortions, from the theft of student and staff’s personally identifiable information, to the theft of research that can be sold to other organisations.

BlackCat, no stranger to the threat actor spotlight, claimed third place this month after accounting for 12% of overall attacks. Aligning to previous trends, Industrials (25%) was their most targeted sector, followed by Basic Materials (15%), Healthcare (15%) and Consumer Cyclicals (15%).


In-line with previous months, North America was the target of 68 attacks (41%), closely followed by Europe with 56 attacks (34%), and Asia with 19 attacks (12%).


Looking at this month’s sector trends, Industrials (30%) took the lead as most targeted sector, followed by Consumer Cyclicals (15%). For the first time in a year (since January 2022), Academic and Education Services (11%) overtook the Technology and Government sectors, in large part due to threat actor Vice Society’s spike in activity, as it was responsible for 10 of the 18 attacks recorded (56%).

Spotlight: Threat actor AcridRain resurfaces with revamped infostealer

This month, threat actor AcridRain claims the spotlight after its new malware enterprise, first launched in October 2022, has begun gaining traction. The new iteration of the malware is one to look out for, as it rebrands itself to fit the current ‘market’ standard functionality of info stealers, allowing the threat actor to refocus on targeting cryptocurrency and crypto wallets specifically, renting out stealer software to other actors.

The threat actor leads a team of programmers with several sub-specialisations that are leased for malware development projects. Its team possesses a large business deposit on the underground platforms, indicating to NCC Group’s Global Threat Intelligence team that this is a medium sized, planned, and funded operation.

NCC Group expects AcridRain to evolve further and develop its operations, capability, and reach over the coming months.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “January observed a steady amount of ransomware attacks, which is close to what we expect for this period of the year. Having said that, the total volume of ransomware attacks recorded this month is higher than we’d normally see in January, an indication of how ransomware attacks are on the rise generally.

“In terms of the most prevalent threat actors, Lockbit 3.0 held onto first position as predicted, whilst Vice Society and Blackcat had an active start to 2023. It’ll be interesting to see how that evolves over the coming months, and whether Lockbit will remain ahead of the rest. Threat actor Acrid Rain’s re-emergence is one that those handling crypto and other digital asset sectors in particular should look out for, as this continues to be an attractive target for ransomware groups.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our Threat Monitor webinars here.




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7976234970

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom