NCC Group Monthly Threat Pulse – October 2021

• 65% increase in double extortion ransomware victims in last month
• 162.5% increase in tech sector ransomware victims since September
• North America remains the most targeted region, October saw an increase of 71% ransomware victims based in this region

The latest threat pulse from cyber security experts NCC Group has identified 314 double-extortion ransomware victims around the world, a 65% increase on September’s victims.

The analysis from NCC Group’s Strategic Threat Intelligence team has highlighted a strong trend of double-extortion ransomware tactics, which involves the attacker requesting a ransom and threatening to release sensitive business data if this is not paid.

These attacks have predominantly targeted the industrials sector, which accounts for 35% of all ransomware victims in October. The technology sector closely followed with a 162.5% increase in victims in October, followed by industries such as automotive, housing, entertainment, and retail.

This issue is impacting organisations around the world. North America remains the most targeted, with a 71% increase in victims in the last month, while Europe saw a 48% increase in victims in October.

The growing threat of double extortion

The report has revealed that 20 ransomware gangs actively deployed a double extortion strategy in October.

The top 10 ransomware gangs include Lockbit and the well-established threat actor Conti, which increased activity by 120% in October. Other notorious threat actors such as Hive, Blackmatter and Clop are also using this new tactic, although they have been less active over the last few months.

While the use of double extortion (combining ransomware with data exfiltration) is part of a growing trend. NCC Group has identified one notable example of a threat actor, SnapMC, which is entirely focused on the data exfiltration. This group steals data and uses extortion emails to pressure their victims, often giving them only 24 hours to get in contact and 72 hours to negotiate.

The group often exploits vulnerabilities on its victims’ webservers and VPN solutions to gain initial access, then uses privilege escalation to export data. It is likely that a similar approach will be taken by other threat actors in ransomware attacks in the future, which makes it more important for organisations to take a proactive approach.

How businesses can stay secure

Proactive security measures, which include the ability to detect attacks and respond with a fully-formed incident response plan, are key to ensure that organisations are prepared if these types of attacks occur and can minimise damage.

This could include training staff members to identify and flag phishing attempts, and operating a least-privilege model, which minimises the amount of information an attacker can access if a user’s account is compromised.

Keep up to date with our latest threat intel

Join our next Threat Monitor Webinar to get exclusive insights into the emerging advances in threat landscape. Sign up here