Ransomware activity has shown a decline in both June and July when compared to the same time period in 2023 and earlier months this year, according to a recent report by cybersecurity incident response and managed services provider NCC Group.
The report, titled “Monthly Threat Pulse” for July, revealed that there were 395 ransomware attacks tracked in July, which marked a 20% increase from the previous month of June, where 329 attacks were recorded. The spike in July was attributed to threat actors taking advantage of reduced IT staff presence during the summer months.
Despite the uptick in July, both June and July saw a notable decrease from the ransomware activity observed from February to May. Additionally, the numbers were significantly lower compared to the same period in the previous year. Researchers are cautious about labeling the July increase as the beginning of an upward trend and will continue to monitor the situation closely.
The industrial sector emerged as the primary target for ransomware attacks, with 125 incidents reported in July, up from 105 in June. This sector’s vulnerability, especially among organizations utilizing operational technology, underscores threat actors’ persistent interest in targeting critical national infrastructure (CNI).
One of the notable developments in the ransomware landscape in July was the dominance of the RansomHub gang, responsible for 11% of the attacks. This group surpassed LockBit 3.0, which secured second place with 8% of the attacks. LockBit 3.0 had faced significant disruption earlier in the year due to international law enforcement efforts such as Operation Cronos.
The rise of RansomHub can be attributed to its ransomware-as-a-service model and the migration of former LockBit affiliates to this new group. Although LockBit 3.0 maintained its position in the rankings, its activity levels are far lower compared to its peak before the takedown.
Another interesting development in July was the exploitation of the VMware ESXi flaw CVE-2024-37085 by ransomware gangs such as Black Basta. This vulnerability, identified by Microsoft, allowed threat actors to gain full administrative privileges on affected systems. Microsoft has issued a fix for this vulnerability to mitigate the risk for customers.
Matt Hull, global head for strategic threat intelligence at NCC Group, highlighted the significant decrease in ransomware activity in June and July compared to the previous year. This decline can be attributed to the reduction in LockBit activity following law enforcement actions against the group.
While the future of LockBit remains uncertain, Hull emphasized that the number of victims associated with this ransomware variant is still lower than before Operation Cronos. Despite the ongoing spotlight on the group, there are still affiliates willing to use LockBit for malicious purposes.
In conclusion, the ransomware landscape continues to evolve, with threat actors adapting their tactics and targeting strategies. Monitoring and addressing these threats remain crucial to safeguarding organizations from potential cyberattacks in the future.