September saw record levels of ransomware attacks, according to NCC Group‘s September Threat Pulse, with 514 victims details released in leak sites.
The data represents a 153% year-on-year increase from last September, and break’s July’s record of 502 victim leaks.
August, in contrast, saw the lowest number of attacks following July’s high.
New Threat Actors on the Scene
Recently formed threat actor LostTrust ranked as the second most active group, responsible for 53 (10%) of all attacks, with another new group – RansomedVC – in fourth place with 44 (9%) attacks.
LostTrust is believed to have formed in March this year, with activity now coming to light in September. The group has adopted similar methods of double extortion used widely by more established threats.
Well-established threat actors remained active in September, with Lockbit retaining its August top spot. With new threat actors emerging and following the decrease of its activity in August, Cl0p was only responsible for three ransomware attacks in September, according to NCC Group’s data.
Ransomware in the West
In line with previous months’ trends, North America continued to be the most targeted region for ransomware attacks, with 258 attacks in September. Europe remained the second most targeted region with 155 attacks, followed by Asia in third place with 47.
However, September saw the targeting of North America and Europe increase by 3% and 2%, respectively, whilst attacks in Asia decreased by 6% from August.
This indicates a growing focus from threat actors on targeting Western regions.
Attacks on Healthcare Ramp Up
In September, Industrials continued to experience the highest volume of attacks 40% (19) followed but Consumer Cyclicals with 21% (10) and Healthcare 15% (7).
The continued targeting of Industrials is unsurprising given that the theft of Personally Identifiable Information (PII) and Intellectual Property (IP) remain attractive motivators for threat actors.
The Healthcare sector experienced a significant increase in ransomware attacks. It witnessed 18 attacks, marking an 86% month-on-month increase from August. However, the increase is in line with trends in earlier months this year, suggesting that the dip in August was an anomaly to the overall trend.
Healthcare continues to be an attractive target for threat actors because of the financial impact that a ransomware attack on companies in the pharmaceutical industry can have.
Spotlight: New Threat actor RansomedVC on the Rise
The record levels of ransomware attacks are partially the result of the emergence of new threat actors including RansomedVC. Like 8Base and other well-established organisations, RansomedVC operate as ‘penetration testers’. This is essentially penetrating a network to expose vulnerabilities, which is then reported to an organisation for a ransom.
However, its approach to extortion also incorporates the claim that any vulnerabilities discovered in their targets’ network will be reported in compliance with Europe’s General Data Protection Regulation (GDPR).
Recommended reading
RansomedVC’s innovative approach increases the pressure on victims to meet ransom demands. Financial incentives for paying the ransom are heightened as GDPR allows for fines of up to 4% of a victim’s annual global turnover.
Using these methods, the group claimed responsibility for the attack on Japanese electronics company, Sony, on 24 September. As part of the attack, RansomedVC compromised the company’s systems and offered to sell stolen data. Successful targeting of a major global company such as Sony is indicative of the wide impact RansomedVC is having, likely to be a group that remains active over coming months.
Matt Hull, global head of threat intelligence at NCC Group said: “After the drop in ransomware attacks in August, the surge in attacks during September was somewhat anticipated for this time of year. However, what stands out is the volume of these attacks and the emergence of new threat actors who have been major drivers of this activity.
“These groups, including the likes of LostTrust, Cactus, and RansomedVC, are noteworthy for their approach: adapting existing ransomware techniques and introducing their own variations to add pressure for victims. We’ve witnessed a growing number of groups utilising the double extortion model as a strategy, piggybacking off this as a successful method used by more established threat actors. New threat actors are also increasingly embracing Ransomware as a Service (Raas) model, whilst diversifying their activities and creating ‘unique selling points’.
“The influx of new groups is evidence of the evolving nature of global ransomware attacks. There’s a focus on ramping up pressure on victims, a tactic successfully employed by the likes of RansomedVC, as we saw with its attack on Sony last month. It’s likely that we’ll see other new groups explore these methods of increasing pressure on victims to comply with other variations of RaaS in the coming months.”
Related