NCC Group Monthly Threat Pulse – February 2023

Analysis from NCC Group’s Global Threat Intelligence team has revealed there were 240 ransomware attacks in February, a 45% increase from January.

The volume of activity is the highest recorded by NCC Group for this period, up 30% over February 2022 (185), and 2021 (185). The considerable rise highlights the growing threat of ransomware attacks, as the threat landscape continues to evolve.

Threat actors

LockBit 3.0 drove the majority of February’s ransomware activity, with 129 ransomware attacks (54%). It marks a 150% spike in the group’s activity compared to January (50 victims), including an attack on UK mail delivery service, Royal Mail. The group was a driving force behind a rise in attacks on the Consumer Non-Cyclicals (12 victims) sector, while Industrials (43) and Consumer Cyclicals (20) were its most targeted.

BlackCat (13%) were the second most active threat actor, followed by relatively new threat actor, BianLian (8%), with 20 victims. Despite this sharp spike in activity, their level of attacks in February is still less than it was in December 2022, indicative of BinLian’s usual pattern of activity, whereby it has peaks and troughs throughout the year.

Regions

North America (47%) was the target of almost half of February’s activity, with 113 victims. Europe (23%), and Asia (15%) followed, with 56 and 35 attacks respectively.

Sectors

While Industrials (33%) and Consumer Cyclicals (15%) remained the most targeted sectors, LockBit’s targeting of Consumer Non-Cyclicals (8%) - companies in the likes of utilities, healthcare and other consumer staples - escalated it to the top three for the first time, with 20 incidents. This represents a 150% increase in victims in this sector since January.

Spotlight: Is this the end of threat actor Hive?

This month, threat actor Hive claims the spotlight after the US Department of Justice reported in January 2023 that the FBI had infiltrated Hive’s network and seized their infrastructure in a coordinated international effort.

This infiltration began in July 2022, and among this was Hive’s leak site and various servers which were located in Los Angeles.

In addition to the takedown, US and UK authorities sanctioned seven alleged members of the group, all believed to be Russian nationals. Although these operations have been taken down, it's widely reported that Russian cybercriminals are protected by the state, implying that while Hive have lost their digital assets, its members will likely continue operating under a different guise.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “In February we observed a surge in ransomware activity, as expected when coming out of the typically quieter January period. However, the volume of ransomware attacks in January and February is the highest we have ever monitored for this period of the year. It is an indication of how the threat landscape is evolving and threat actors show no signs of reducing ransomware activities.

“Looking at the most prevalent threat actors, Lockbit 3.0 looks set to carry on where it left off in 2022, and is already leading the way as 2023’s most prevalent threat actor by some margin. BlackCat also remains consistent, whilst the ever-sporadic BianLian returned to the top three.

“Finally, it’ll be interesting to see how the takedown of Hive by the US Department of Justice plays out. While this means their digital operations have been taken down, it’s unlikely Hive’s members will disappear completely. Our threat intelligence team will continue to keep a close eye on how this impacts the threat landscape.”

Keep up to date with our latest insights

Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our new Threat Monitor webinars here.