NCC Group Monthly Threat Pulse – May 2023

Ransomware victims spike 24% in May, as new threat actor 8base discovered

New analysis from NCC Group's Global Threat Intelligence team has revealed that ransomware attacks are soaring, with 436 victims in May. The new figures represent a 24% surge compared to April's figure of 352 and a 56% increase compared to May 2022.

The spike in activity was in-part been driven by the emergence of 8base, a new ransomware player that employs a double extortion strategy, publicising the data of 67 victims in May.

Threat actors

Lockbit 3.0 were responsible for 18% (78 victims) of the attacks in May and remains the most active threat actor in 2023, despite a 27% drop in attacks compared to April (107 victims).

Newly discovered threat actor 8base were responsible for 15% of the attacks in May, as the group began releasing data from victims breached between April 2022 and May 2023. Its attacks typically involved stealing and encrypting data, with more than half its victims (52%) operating in the Industrials sector.

Elsewhere, Akira, a threat actor first discovered in March, carried out 28 attacks – their highest on record and a 250% increase compared to April (6 victims). NCC Group’s Global Threat Intelligence team also monitored activity from new ransomware groups BlackSuit, MalasLocker and RAGroup.

Regions

In May, North America was the target of over half (51%) of the monitored incidents, with 222 victims, followed by Europe (24%) with 106 victims. South America (8%) experienced a significant surge with 34 attacks, an 89% increase compared to April, largely driven by 8base's disclosure of 15 victims in the region.

Sectors

Industrials (30%) remained the most targeted sector with 131 attacks, as threat actors continue to target lucrative personally identifiable information (PII) and intellectual property (IP). Technology (15%) saw a 78% increase in attacks compared to April, with 66 victims, whilst Consumer Cyclicals (11%) was the target of 37 attacks.

Spotlight: ERMAC to Hook – Technical difference between two Android Malware Variants

This month’s spotlight is on an investigation by NCC Group's Global Threat Intelligence team into two Android-based malware families advertised by threat actor DukeEugene, known as Hook and ERMAC. DukeEugene claims Hook was written from scratch, however NCC Group’s investigation confirmed the ERMAC source code was used as a base for Hook, with a matching set of commands that share near-identical code implementation.

Hook has introduced a lot of new features however, with a total of 38 additional commands when comparing the latest version of Hook to ERMAC. New features include streaming a victim's screen, the ability to take photos using their front facing camera, stealing of cookies related to Google login sessions, and support for stealing recovery seeds from additional cryptocurrency wallets.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “We continue to see heightened levels of ransomware activity in 2023, as each passing month surpasses the volume of attacks witnessed during the same period in the previous year. Whilst Lockbit 3.0 continues to dominate as the most active threat actor, the emergence of new ransomware groups like 8base and Akira raises equal concerns and warrants attention.

“Beyond this latest data, another noteworthy development this year has been the volume of attacks targeted towards high profile organisations, predominantly led by Russian-speaking threat actor Cl0p. It has led to greater public attention towards the evolving threat landscape, which contributes to a growing understanding of the severity and impact of ransomware incidents can have, and why organisations must be proactive in their cyber defences.”