New threat actors drive record levels of ransomware attacks in September
- September saw a new record of 514 victims, marking a year-on-year increase of 153% from 2022
- New threat actors, including LostTrust and RansomedVC, rank in top five most active groups
- Industrials (40%), Consumer Cyclicals (18%) and Technology (10%) most targeted sectors
September saw record levels of ransomware attacks according to NCC Group’s September Threat Pulse, with 514 victims details released in leak sites. The data represents a 153% year-on-year increase from last September and breaks the record set in July 2023, which had previously held the top spot (502 attacks).
New threat actors contribute to record levels and climb to top five ranking
Recently formed threat actor LostTrust ranked as the second most active group, responsible for 53 (10%) of all attacks, with another new group - RansomedVC – in fourth place with 44 (9%) attacks. LostTrust is believed to have formed in March this year, with activity now coming to light in September. The group has adopted similar methods of double extortion used widely by more established threat actors.
Well-established threat actors remained active in September, with Lockbit retaining its August top spot. With new threat actors emerging and following the decrease of its activity in August, Clop was only responsible for three ransomware attacks in September.
Ransomware attacks increasing in the West
In line with previous months’ trends, North America continued to be the most targeted region for ransomware attacks, with 258 attacks in September. Europe remained the second most targeted region with 155 attacks, followed by Asia in third place with 47.
However, September saw the targeting of North America and Europe increase by 3% and 2% respectively, whilst attacks in Asia decreased by 6% from August. This indicates a growing focus from threat actors on targeting Western regions.
Attacks on healthcare sector ramp up
In September, Industrials continued to experience the highest volume of attacks 40% (19), followed by Consumer Cyclicals with 21% (10) and Healthcare 15% (7). The continued targeting of Industrials is unsurprising given that the theft of Personally Identifiable Information (PII) and Intellectual Property (IP) remain attractive motivators for threat actors.
The Healthcare sector experienced a significant increase in ransomware attacks. It witnessed 18 attacks, marking an 86% month-on-month increase from August. However, the increase is in line with trends in earlier months this year, suggesting that the dip in August was an anomaly to the overall trend. Healthcare continues to be an attractive target for threat actors because of the financial impact that a ransomware attack on companies in the pharmaceutical industry can have.
Spotlight: New threat actor RansomedVC on the rise
The record levels of ransomware attacks are partially the result of the emergence of new threat actors including RansomedVC. Like 8Base and other well-established organisations, RansomedVC operate as ‘penetration testers’. However, its approach to extortion also incorporates the claim that any vulnerabilities discovered in their targets’ network will be reported in compliance with Europe’s General Data Protection Regulation (GDPR).
RansomedVC’s innovative approach increases the pressure on victims to meet ransom demands. Financial incentives for paying the ransom are heightened, as GDPR allows for fines of up to 4% of a victim’s annual global turnover.
Using these methods, the group claimed responsibility for the attack on Japanese electronics company, Sony, on 24th September. As part of the attack, RansomedVC compromised the company’s systems and offered to sell stolen data. Successful targeting of a major global company such as Sony is indicative of the wide impact RansomedVC is having, likely to be a group that remains active over coming months.
Matt Hull, Global Head of Threat Intelligence at NCC Group said: “After the drop in ransomware attacks in August, the surge in attacks during September was somewhat anticipated for this time of year. However, what stands out is the volume of these attacks and the emergence of new threat actors who have been major drivers of this activity.
“These groups, including the likes of LostTrust, Cactus, and RansomedVC, are noteworthy for their approach: adapting existing ransomware techniques and introducing their own variations to add pressure for viticms. We’ve witnessed a growing number of groups utilising the double extortion model as a strategy, piggybacking off this as a successful method used by more established threat actors. New threat actors are also increasingly embracing Ransomware as a Service (Raas) model, whilst diversifying their activities and creating ‘unique selling points’.
“The influx of new groups is evidence of the evolving nature of global ransomware attacks. There’s a focus on ramping up pressure on victims, a tactic successfully employed by the likes of RansomedVC, as we saw with its attack on Sony last month. It’s likely that we’ll see other new groups explore these methods of increasing pressure on victims to comply with other variations of RaaS in the coming months.”
Our team of threat intelligence experts keep a constant watch over the cyber and geopolitical landscape, so you don’t have to.
Introducing our monthly Cyber Threat Intelligence highlights webinar, giving you further insight and exclusive access to what's going on now with recommendations and advice for your organisation.
Join our Global Head of Threat Intelligence, Matt Hull, each month for:
- A deeper understanding of the latest report findings
- A look at emerging trends by region and sector
- Insight into new threat actors
- Q&A
Register now for our November webinar on 29 November at 4pm GMT where you’ll get exclusive insight into our October analysis before we share our public reports!
Cyber Threat Intelligence Webinar - November 2023 | NCC Group (livestorm.co)