Resurgence in LockBit Drives Record High Ransomware Attacks in May

Highlights:

• The increase in ransomware attacks was attributed to LockBit 3.0, the latest version of the notorious LockBit ransomware gang.
• LockBit rose to the top of the ransomware rankings, displacing the Play ransomware group, which fell to second place with 32 attacks, comprising 7% of all incidents in the month.

A recently released report by NCC Group plc reveals that ransomware attacks reached a peak in May, largely fueled by a significant resurgence in LockBit ransomware incidents.

The NCC Group 2024 Threat Intel report indicated a 32% increase in global ransomware attacks from April to May, totaling 470 incidents compared to 356. This reflects an 8% increase compared to May of the prior year.

The increase in ransomware attacks was driven by LockBit 3.0, the latest version of the notorious LockBit ransomware group. After a brief period of dormancy following a purported takedown by international law enforcement in February, LockBit re-emerged a week later and dominated the ransomware landscape in May, responsible for 37% of all attacks that month. The incidents involving LockBit ransomware surged dramatically by 665%, rising from 23 April to 176 in May.

LockBit soared to the top of the ransomware rankings, while the Play ransomware group fell to second place with 32 attacks, accounting for 7% of all incidents in May. RansomHub secured the third spot with 22 attacks, representing 5% of the total.

In May, newcomers among the top 10 threat actors included Arcus Media, Underground, and dAn0n. First observed in April, dAn0n, known for its double-tap extortion method, was responsible for 13 ransomware attacks in May. Similarly, Underground, which employed double-tap extortion, carried out 12 attacks during the month.

77% of ransomware attacks that occurred in May targeted businesses in North America and Europe. South America accounted for 8% of ransomware attacks in May, up 60% from April, according to the report, which highlights an anomalous spike in ransomware attacks on the continent. Additionally, Africa saw a rise in ransomware attacks this month, accounting for 8% of all attacks, compared to 3% in April.

By sector, industrial companies continue to be the most targeted, a trend that has persisted since January 2021. In May, the industrial sector experienced 143 ransomware attacks, an increase from 116 in April. The technology sector was the second most targeted, with 72 attacks in May, up from 49 the previous month. The consumer cyclical sector ranked third with 59 attacks, slightly down from 62 in April.

“Following the takedown of LockBit 3.0 earlier this year, speculation has swirled around whether the group would simply dissolve, as we’ve seen with other threat groups like Hive. However, the current surge in victim numbers suggests a different story. It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist. The coming months will reveal whether LockBit can sustain the attack figures recorded in May,” said Matt Hull, Global Head of Threat Intelligence at NCC Group.