In September, a notable surge in ransomware attacks was recorded, as revealed by NCC Group's September Threat Pulse. Leak sites disclosed details of 514 victims, marking a significant 153% increase compared to the same period last year. This figure surpassed the previous high set in July 2023 at 502 attacks.
Among the fresh wave of threat actors, LostTrust emerged as the second most active group, accounting for 10% of all attacks with a total of 53. Another newcomer, RansomedVC, secured the fourth spot with 44 attacks, making up 9% of the total. LostTrust, believed to have formed in March of the same year, mirrors established threat actors' tactics of employing double extortion.
Notably, well-established threat actors remained active in September. Lockbit maintained its lead from August, while Clop's activity diminished, responsible for only three ransomware attacks in September.
In line with previous trends, North America remained the primary target for ransomware attacks, experiencing 258 incidents in September.
Europe followed as the second most targeted region with 155 attacks, trailed by Asia with 47. Nevertheless, there was a 3% rise in attacks on North America and a 2% increase on Europe, while Asia saw a 6% decrease from the previous month. This indicates a shifting focus of threat actors towards Western regions.
Industrials continued to bear the brunt of attacks, comprising 40% (19) of the total, followed by Consumer Cyclicals at 21% (10), and Healthcare at 15% (7). The sustained focus on Industrials is unsurprising, given the allure of Personally Identifiable Information (PII) and Intellectual Property (IP) for threat actors.
The Healthcare sector witnessed a notable surge, experiencing 18 attacks, marking an 86% increase from August. This trend aligns with patterns observed earlier in the year, suggesting that August's dip was an anomaly. The pharmaceutical industry's susceptibility to ransomware attacks continues due to the potential financial impact.
The surge in ransomware attacks can be attributed in part to the emergence of new threat actors, notably RansomedVC. Operating similarly to established organizations like 8Base, RansomedVC also functions as a penetration testing entity.
However, their approach to extortion incorporates compliance with Europe's General Data Protection Regulation (GDPR), pledging to report any vulnerabilities discovered in the target's network. This unique approach intensifies pressure on victims to meet ransom demands, as GDPR allows for fines of up to 4% of a victim's annual global turnover.
RansomedVC garnered attention by claiming responsibility for the attack on Sony, a major Japanese electronics company, on September 24th. In this incident, RansomedVC compromised the company's systems and offered to sell stolen data. This successful targeting of a global giant like Sony highlights the significant impact RansomedVC is exerting, indicating its continued activity in the months ahead.
Matt Hull, Global Head of Threat Intelligence at NCC Group, commented on the situation, noting that the surge in attacks in September was somewhat anticipated for this time of year. However, what sets this apart is the sheer volume of these attacks and the emergence of new threat actors playing a major role in this surge. Groups like LostTrust, Cactus, and RansomedVC stand out for their adaptive techniques, putting extra pressure on victims.
The adoption of the double extortion model and the embrace of Ransomware as a Service (Raas) by these new threat actors signify an evolving landscape in global ransomware attacks. Hull predicts that other groups may explore similar methods in the coming months to increase pressure on victims.
