LockBit 3.0 cements dominance of ransomware ecosystem

The recently updated LockBit 3.0 ransomware seems to have driven a substantial uptick in documented ransomware attacks in July, with incidents rising by 47% on a month-by-month basis, according to the latest monthly threat data produced by NCC Group.

The operators of LockBit issued version 3.0 at the end of June under the tagline “Make Ransomware Great Again”. Among its new features are additional means of monetisation, with payments now accepted in more cryptocurrencies than before, post-payment data recovery and even destruction. Most notably, the group now runs a bug bounty programme, and seems particularly keen to hear about any bugs in its code that could enable outsiders to obtain its decryption tool.

In the weeks since its launch, LockBit has become by some margin the dominant ransomware strain seen in the wild, accounting for 52 of the 198 victims NCC documented in July, or 26% of the total. Two other groups – both of them associated with former Conti-linked affiliates – were also highly active in July: Hiveleaks, which hit 27 organisations; and BlackBasta, which hit 24.

“This month’s Threat Pulse has revealed some major changes within the ransomware threat scene compared to June, as ransomware attacks are once again on the up,” said NCC global head of threat intelligence Matt Hull.

“Since Conti disbanded, we have seen two new threat actors associated with the group – Hiveleaks and BlackBasta – take top position behind LockBit 3.0. It is likely we will only see the number of ransomware attacks from these two groups continue to increase over the next couple of months.”

Elsewhere, North Korea-linked advanced persistent threat (APT) group Lazarus continued a campaign of cyber extortion following a $100m crypto heist on the Harmony Horizon Bridge in late June, and earlier attacks, including a larger $600m hit on Axie Infinity.

Hull noted the increased activity by Lazarus was likely a result of the continued shrinking of North Korea’s ramshackle economy, forcing the isolated regime to lean more heavily on crime to obtain much-needed hard currency. As previously reported, this trend has seen the US government increase the reward money on offer to anybody who can provide intelligence on members of the Lazarus collective.

In terms of other ransomware trends, verticals under attack remained consistent in July, with industrial organisations remaining the most targeted, accounting for 32% of incidents seen by NCC. This was followed by consumer cyclicals – which includes automotive, entertainment and retail – at 17%, and technology at 14%.

NCC found the region most targeted for ransomware attacks was North America, where 42% of incidents were seen during the period, which regained the “prestigious” number one spot from Europe after two months.

As ever, it is important to note that supplier-produced threat data is proprietary and generally reflects only the conditions seen by that supplier based on its own network telemetry or gleaned from its incident response teams, so may not be wholly accurate. Other sources of threat data are available.

 

Leave a Reply

Your email address will not be published. Required fields are marked *