NCC Group Monthly Threat Pulse – August 2022

• Lockbit 3.0 (64 victims) most active attacker, followed by BlackBasta (18 victims)
• New threat actor IceFire emerges, with 10 victims
• Industrials (34%), Consumer Cyclicals (18%) Technology (14%) remain most targeted sectors
• Ransomware attacks decreased by 19% compared to July

Analysis from NCC Group’s Global Threat Intelligence team suggests a proliferation of new and evolving threat actors in August with the emergence of new threat actor, IceFire and a surge in activity for the most active attacker Lockbit 3.0.

Meanwhile, the number of ransomware attack victims dropped 19% in August, from 198 to 160 incidents. The moderate drop comes after a 47% rise from June to July, with the number of attacks appearing to stabilise since the disbanding of prominent threat actor group Conti.

Threat Actors

As we moved into August, Lockbit 3.0 accounted for 40% of all incidents in August, making it the most threatening ransomware threat actor last month. Its total of 64 incidents reflecting a spike in activity following the rebrand from Lockbit 2.0 in June. In August, the group also announced the implementation of a triple extortion model, and deployed the use of unique and randomised payment links in ransom notes.

Meanwhile, BlackBasta moved up to second position with 18 incidents this month, a 33% reduction in the number of attacks in July. Similarly, the sectors and industries it targeted also changed, with more attacks against the consumer cyclicals sector, with speciality retailers a particular target.

New group IceFire emerged onto the scene in August, amassing 10 victims in its first month of activity. IceFire was a surprise entry to the top three list of threat actors, as other groups such as ALPHV and Hiveleak reduced their activity. While there is little information about the group, its high volume of attacks suggests its operators have prior experience in the ransomware space. Technology was its most targeted sector, accounting for 90% of total attacks, with the software and IT services industries accounting for 80% of these victims. The majority of victims offer web hosting services, suggesting the group is a highly selective addition to the threat landscape.

Sectors

Sector trends remained consistent with previous months, with industrials continuing to be the most targeted sector with 55 incidents (34%), followed by consumer cyclicals (18%), and technology organisations (14%).

Regions

From a regional perspective, North America (45%) claimed the spot for the most targeted region for the second month in a row, followed by Europe (40%) and Asia (9%).

Spotlight on Sandworm

This month Sandworm – a state-sponsored Advanced Persistent Threat (APT) group – claim the spotlight following recent global espionage and destruction campaigns that seek to advance Russian foreign policy. Sandworm’s victims span across different sectors, however its most notable attacks have sought to cripple the industrial control systems that power the energy and electrical sectors of its opponents.

Recently, Sandworm has targeted the majority of its attacks on Ukraine as Russia undergoes territorial wars, but the threat actor’s targets do remain global. Historic events include targeting the 2017 French Presidential Campaign, 2018 Winter Olympics in South Korea, and the large-scale attack on cross-sector Georgian websites and servers in 2019.

The motivations behind Sandworm’s attacks appear to be the advancement of Russian interests – making it easier to predict Sandworm’s activities, as they are usually related to global events Russia may react to. Other motivations may be the group looking to advance its relative position amongst other Russian intelligence agencies through undertaking high-risk/high-reward operations.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “While there is a slight reduction in the volume of attacks in August, there have been some considerable changes amongst threat groups in particular. Lockbit 3.0 appears to be re-establishing its operations since rebranding in June, while Conti-affiliated BlackBasta looks to be establishing itself within the ransomware landscape following Conti’s operations rebranding.

“Meanwhile, we saw new threat actor IceFire burst onto the scene with a string of attacks in the latter half of the month. There isn’t much known about the group just yet, but their targeting of organisations that offer web hosting services suggests they are looking to compromise a bigger pool of victims, indirectly. We’ll continue to monitor IceFire’s activity in the coming months to understand their targeting motivations, modes of operating, and any acceleration in number of attacks.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our next quarterly Threat Monitor webinar here.