Ransomware gangs had a busy holiday season

Ransomware gangs may have been down in terms of attack volume and income in 2022, but they’re not out—as evidenced by a recent report showing threat actors kept up their efforts over the holiday season.

In their December 2022 threat report, researchers with security firm NCC Group tracked a total of 269 ransomware attacks that month, up 2% from November. Yet the security firm said that this was unusual, as its own data (contrary to expectations) historically showed decreases “as cybercriminals, like any organization, take time to enjoy the festive season.” Last year, it saw a 37% drop in ransomware attacks from November to December.

According to NCC Group, the LockBit 3.0 ransomware-as-a-service gang––whose business model has been both massively successful and increasingly drawing heat from authorities––regained its usual lead among threat actors, responsible for 19% of attacks. BianLian, a group that utilizes unusual Golang-based malware, more than doubled their activity from November to rank second at 12% of all attacks. Coming in third was the notorious BlackCat group at 11%, which NCC Group said also doubled its attacks from the month prior in its most active month on record.

NCC Group also observed a continued rise in distributed denial-of-service (DDoS) attacks, as well as a number of attacks in which threat actors attempted to extort targets by releasing their names letter by letter. Matt Hull, NCC group’s global head of threat intelligence, told IT Brew this likely reflects the broader trend of ransomware gangs increasingly relying on tactics beyond encryption to coerce victims.

“We kind of don’t give them enough credit in a weird sort of way,” Hull said. “These are organized crime groups. They are very quick to evolve…If they’re seeing less people paying the ransomware amount, they need to amplify the pressure that they put on organizations.”

“Not only do they encrypt data, not only do they exfiltrate data, but the next thing that they can do is use denial-of-service or volumetric attacks to prevent their customers getting access to services, which is perhaps even more of an impact,” he added. “While we are seeing an uptick in DDoS numbers, the actual time period for those attacks is quite low, which does go on to suggest this is just being used as an extra threat.”

The most targeted industries in NCC Group’s data included professional and commercial services, hotel and entertainment services, and software and IT services.

“The targeting of these sectors has remained consistent and therefore appears unlikely to subside into the New Year,” the report stated. “Likewise, each sector continues to provide valuable targets, given the opportunity for widespread disruption, high value targets and cybersecurity challenges such as OT/IT convergence.”

Hull warned organizations not to get complacent in response to reports suggesting ransomware gangs are having a tough time keeping up profits.

“While we have seen a drop in those numbers, it’s not something that organizations can now just put their feet up and relax about,” Hull told IT Brew. “The volumes are still high. There are new groups appearing all the time, they’re continuing to have successes…These criminal groups will evolve, they will look for workarounds to try and make money. That’s the aim of the game for them.”—TM