Skip to content
NCC Group Monthly Threat Pulse – November 2022

News -

NCC Group Monthly Threat Pulse – November 2022

  • Ransomware attacks rise by 41% in November
  • Threat group Royal (16%) claims first place as most active – knocking Lockbit from the top spot for the first time since September 2021
  • Industrials (32%), and Consumer Cyclicals (44%) remain top two most targeted sectors but Technology experiences a large 75% increase over the last month
  • Regional data remains consistent with last month North America (45%), Europe (25%) Asia (14%)
  • DDoS attacks continue to increase

Analysis from NCC Group’s Global Threat Intelligence team has revealed a 41% increase in ransomware attacks this month as returning threat actor groups resurface and take the lead in November.

The 41% rise from 188 incidents to 265 makes November the most active month for ransomware attacks since April this year.

Threat actors

Lockbit 3.0 was knocked off the top spot, as threat actors Royal and Cuba claim first and second place and accounted for 16% and 15% of all attacks. Lockbit 3.0 still remain active however, taking third place, contributing to 12% of attacks this month.

Royal, which we first tracked in January 2022, concerns a number of experienced ransomware actors working without affiliates - different from the standard ransomware-as-a-service model we usually observe.

Although Cuba has been active over the past couple of years, activity has been reduced despite being responsible for a number of high-profile attacks and demanding ransomware of over $60 million. A record number of 40 attacks in November is unexpected from the Cuba operation due to their operations usually maintaining a low profile.

Although Lockbit 3.0 has remained within the top three threat actors this month, the reported attacks are substantially less than what is expected for the group. As such, this raises the question as to whether they will bounce back or disband as a threat actor.


Across the regions, North America suffered 151 ransomware attacks (45%), making it the most targeted region, ahead of Europe which experienced 65 (25%). Asia remained the third most targeted with 14% of attacks.


Diving into sector trends, Industrials (32%), and Consumer Cyclicals (44%) remain the top two most targeted sectors for ransomware attacks. However, we have observed Technology experience a large 75% increase over the last month with supply chain compromise opportunities and intellectual property remaining as key reasons for targeting.


Similar to October, DDoS attacks are on the rise, with 3,648 attacks observed in November. Throughout the month, the United States remained the most targeted country globally with 1,543 attacks - marking 42% of all total observed DDoS attacks.

Reasons for the United States being the most targeted include the large attack surface and existing geopolitical tensions of the country - which show no sign of relaxing. Giving the timings of the US attacks, one reason could be the intentionto cause disruption during the mid-term elections.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “This month we observed some interesting changes, with Lockbit 3.0 being pushed back to third place and replaced by the re-emergence of Royal and Cuba. The reduced operation may suggest the group could be disbanding, but we will keep a close eye on any developments in this area.

Our analysis strongly indicates a rising trend in DDoS attacks, which we can likely expect to continue for the immediate future. However, as more organisations become aware of the increased threat it will be interesting to see how malicious actors employing DDoS attacks are countered. DDoS is not a new attack type and preventative and defensive measures are more widely available and affordable than ever before. We recommend that all organisations familiarise themselves with their defensive infrastructure and assess if there’s a role for anti-DDoS mitigation tools.”




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7976234970

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom