Skip to content
NCC Group Monthly Threat Pulse - July 2022

News -

NCC Group Monthly Threat Pulse - July 2022

  • Ransomware attacks increased by 47% compared to June
  • Industrials (32%), Consumer Cyclicals (17%), and Technology (14%) remain most targeted sectors
  • Lockbit 3.0 (52 victims) most active attacker, followed by Hiveleaks (27 victims) and BlackBasta (24 victims)
  • Lazarus Group increases operations following number of financial cyber crimes

The ransomware threat scene continues to evolve following the disbanding of Conti, as ransomware attacks rose from 135 in June to 198 in July, representing a 47% increase, as reported by NCC Group’s Global Threat Intelligence team.

The escalation in ransomware attacks comes amidst the rise of several new threat actors, with newcomer Lockbit 3.0 taking the top spot followed closely by Conti-associated threat actors Hiveleaks and BlackBasta, that are settling into a new way of operating.

Meanwhile, Lazarus Group returns to prominence, following several multi-million-dollar cryptocurrency-focused attacks earlier this year.


Sector trends remained consistent in July, with Industrials remaining the most targeted sector, as it made up a third (32%) of ransomware attacks, followed by Consumer Cyclicals (17%), and Technology (14%).


From a regional perspective, North America claimed the spot for most targeted region (42%), overtaking Europe (40%) for the first time in 2 months. The last time we saw North America as a top target was back in May.

Threat Actors

As we moved into July, the phasing out of Lockbit 2.0 and transition to new variant Lockbit 3.0 looked to complete, as Lockbit 3.0 moved into pole position as the top ransomware variant this month with 52 incidents.

Meanwhile, the rise in prominence from Hiveleaks (27 victims), and BlackBasta (24 victims) may represent a possible regrouping of former Conti members as new, smaller factions.

Meanwhile, North Korea-backed APT Group Lazarus, have continued to make ripples in the cyber threat landscape following their $100 million crypto heist on Harmony’s Horizon Bridge in late June.

Spotlight on Lazarus Group

This month, Lazarus Group claims the spotlight following a number of financial cybercrimes to aid the North Korean state earlier this year, including cryptocurrency thefts and suspected ransomware adoption. These include the $600 Million Cryptocurrency Heist on Axie Infinity, and the $100 Million Crypto Heist on Harmony’s Horizon Bridge.

The increase in operations from this group may be to do with the North Korean economy shrinking once again, possibly forcing the country to lean more heavily on illegal methods of revenue. Pairing this with its already struggling economy, it is possible to see why they would turn to offensive cyber operations as a source of income.

As a result of this activity, the US has responded by offering $10 Million to any individual who can provide valuable intelligence on any of the operators within Lazarus Group; as North-Korea evidently see the advantages of using crypto-theft and possible ransomware operations in a pursuit on financial security.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “This month’s Threat Pulse has revealed some major changes within the ransomware threat scene compared to June, as ransomware attacks are once again on the up. Since Conti disbanded, we have seen two new threat actors associated with the group, Hiveleaks and BlackBasta, take top position behind LockBit 3.0. It is likely we will only see the number of ransomware attacks from these two groups continue to increase over the next couple of months.”

“Following two major cryptocurrency heists, Lazarus Group seem to be improving their crypto-theft and ransomware operations, so it is more important than ever to monitor their activity closely. Cryptocurrency organisations in the US, Japan and South Korea should remain on high alert.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our next quarterly Threat Monitor webinar here.




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom