NCC Group Monthly Threat Pulse – May 2022

• Ransomware attacks decreased by 18% in May, compared to previous month
• Industrials (31%), Consumer Cyclicals (22%) and Technology (10%) most targeted sectors
• Lockbit 2.0 (95 victims) most active threat actor, alongside Black Basta, Hive and Conti (17 victims respectively)
• Conti rumoured to be disbanding

The number of ransomware attack victims decreased in May, according to NCC Group’s strategic threat intelligence team. In total, it observed 236 attacks in the month, an 18% decrease on the 289 attacks observed in April.

A drop off in activity may be a result of Russia-based Conti’s step back from the ransomware scene, as well as its collaboration with smaller groups including Black Basta and Hive.

The most targeted sectors in May were industrials, making up some 31% of ransomware attacks, followed by consumer cyclicals (22%) and technology (12%).

NCC Group’s threat intelligence team states that it is likely that industrials will remain the most targeted sector. The diverse number of organisations operating within it makes it an attractive target for ransomware gangs, who seek to compromise company supply chains.

Lockbit 2.0 remained the dominant threat actor, accounting for 40% of attacks in May. Long the top threat actor, it gained even more prominence in May, with the gap between the number of attacks committed by Lockbit and attacks committed by the second top threat actor Conti widening. Of the other most prominent groups, Black Basta and Hive were both responsible for 17 attacks (7%). Black Basta first emerged in April, and in May NCC Group uncovered the group’s use of Qbot malware to infect systems and gain access to Windows domain credentials.

Spotlight on Conti

Conti is rumoured to have shut down after a series of internal politics matters in April and May. On 19 May, Conti News - the ransomware group’s official website - shut down, followed by resets of other major infrastructure channels such as chat rooms, messengers, servers and proxy hosts.

It is possible that this is the end of Conti’s current brand, opening a new chapter for the threat landscape. However it is anticipated that it will make use of existing sub-groups operating under different names such as KaraKurt, Black Byte and Black Basta.

Security researchers suspect Black Basta and Hive to be working alongside Conti or functioning as a possible replacement for them, which would explain their position as top threat actors in May.

Matt Hull, global lead for strategic threat intelligence at NCC Group, said:

“With similar sectors being targeted month on month now, it is vital that organisations at greatest risk – particularly those working within industrials – are well equipped to defend against ransomware attacks. But as ever, this is not only an issue for one sector. What we need is a cross-industry cybersecurity response to account for uncertainty and ensure protection across the board.

“Lockbit 2.0 has fast cemented its place as the most prolific threat actor of 2022. It is crucial that businesses familiarise themselves with their tactics, techniques, and procedures. It will give them a better understanding of how to protect against attack and the most appropriate security measures to implement.

“Conti’s possible shutdown represents a significant change for the ransomware threat landscape and it cannot go ignored. It will be interesting to see which smaller groups replace it as it rebrands, and how these new or evolved actors will behave – which NCC Group will of course continue to monitor.”