NCC Group Monthly Threat Pulse – Review of September 2024

Ransomhub maintains dominance

Ransomhub retained the top position as the most active threat actor this month with 74 attacks, up by 3% from the previous month’s 72 incidents. One significant attack in September targeted Kawasaki, with the group stealing 487 GB of sensitive data. This included business documents, banking records, and internal communications. After failed auctions, they threatened to leak the data on the dark web.

Play secured second position with 43 attacks, followed by Medusa in third with 26 attacks, and Qilin in fourth with 23 attacks. 

80% of attacks strike North America and Europe

North America remained the most targeted region, accounting for 57% of total global attacks (233). Europe followed with 23% of attacks (94), a noteworthy drop from 125 in August.

Asia faced a modest rise, with attacks climbing from 43 in August to 46 in September, and South America remained the same with 21 attacks. Attacks in Oceania dropped from 15 to 8 between August and September, with Africa also experiencing a significant decline in attacks, going from 13 to 5. 

Industrials remains the prime target 

The Industrials sector remained the most targeted sector. Accounting for 26% (103) of attacks in September, these figures reflect the continued interest by threat actors in targeting Critical National Infrastructure (CNI). Following closely behind is Consumer Discretionary with 89 attacks, and in third position, Information Technology with 51 attacks. 

Ransomware Spotlight: Cicada3301’S assault on VMware ESXi servers

In recent months, there has been a sharp rise in cyber threats targeting virtualised environments, exposing vulnerabilities in critical organisational networks. As more enterprises adopt virtualisation for scalability and flexibility, these infrastructures have become prime targets for attackers. A new ransomware variant, Cicada3301, is taking advantage of weaknesses in VMware ESXi servers, which are essential to organisations relying on virtual machines.

This highlights the critical need for robust security measures in virtualised environments, such as strong antivirus software, to allow organisations to mitigate the risks posed by sophisticated ransomware like Cicada3301.

Matt Hull, Head of Threat Intelligence at NCC Group, said:

"Despite a small drop in ransomware victims in September, organisations must stay vigilant. The ransomware threat landscape has been continually volatile throughout 2024, with the number of victims rising and falling month on month.

As the Industrials sector continues to be the most targeted, it’s essential that organisations operating in this space are mindful of the continued threat. Due to the significant impact on organisations that rely on ‘up-time’, and those that hold large amounts of Intellectual Property (IP) or Personally Identifiable Information (PII), cyber criminals will maintain their level of focus as they seek maximum ‘bang for their buck’.

We must also be aware that fuelling the Ransomware ecosystem is a network off access brokers and info-stealing malware. We have noted an increase in the volume of both, so organisations should ensure that fundamental security practices around password management, end point security, and Multi Factor Authentication are in place and effective.”