New ransomware strain Ymir drives rising attack levels in November
• Ransomware cases in November rose by 16% from October, with 565 attacks.
• Akira was most active threat group, responsible for 15% of attacks.
• Industrials remain most targeted sector, with 32% of attacks.
• 78% of all cases globally took place in North America and Europe.
November 2024 – Global levels of ransomware attacks again increased both month on month and year on year, according to NCC Group's November Threat Pulse. A total of 565 attacks were recorded, an increase from October 2024's figure of 486 and November 2023's figure of 438.
Akira takes the lead
Akira was the most active threat actor this month with 87 attacks. RansomHub was knocked off of the top spot to second position with 80 attacks, followed by ElDorado in third with 43 attacks, and Killsec in fourth with 33 attacks.
North America and Europe experienced over three quarters of all attacks
North America remained the most targeted region, accounting for 58% of total global attacks (326) a noteworthy increase from 272 in October, and Europe followed with 20% of attacks (114). The Russian-attributed threat group Sandworm was responsible for sustained espionage activity across both regions, with particular focus on the energy sector in Europe.
Asia experienced a decrease in attacks, dropping from 68 in October to 58 in November. In contrast, attacks in South America increased to 35, up from 20 in October, with Oceania also witnessing a slight increase, while Africa's attacks doubled.
Industrials remains the prime target
The Industrials’ sector remained the most targeted with 181 attacks in November, accounting for 33% of all sectors targeted, demonstrating the continued threat to Critical National Infrastructure (CNI). The Consumer Discretionary sector followed with 119 attacks, and in third position was Information Technology with 72 attacks.
Ransomware spotlight: New players and threat group collaboration are changing the game
Last month, new ransomware strain Ymir emerged as a dominant player after first being accounted for in July this year. The group recently used RustyStealer malware to target a Colombian organisation, compromising credentials and deploying ransomware stealthily. Ymir's advanced configuration options and memory-based operations helped it evade detection.
Security experts have speculated that Ymir may have acted in collaboration with other groups. To this trend, nation-state actors and hacktivists have worked together using ransomware for financial gain and political motives. Such collaboration has been influenced by geopolitical events such as the Russian invasion of Ukraine and have drawn nation-state threat groups together with the same aims.
The threat group Sandworm, linked to Russian intelligence, is a prime example of the increasing danger that nation-state groups pose due to the diversity of its operations which includes cyber espionage and influence campaigns.
Matt Hull, Head of Threat Intelligence at NCC Group, said:
"The relentless activity of various cyber threat actors has almost become commonplace, but the focus on the industrial sector and particularly organisations that operate as part of critical national infrastructure (CNI) remains a real concern.
Despite continued sector focus, there’s an interesting picture to paint when it comes to patterns of how threat groups operate. The collaboration between threat groups and blurring of lines between criminal and state-sponsored activity, often linked to geopolitical tensions, creates a dynamic threat landscape where motives behind attacks can be difficult to discern. This has been further highlighted in warnings issued by the UK’s NCSC in their recent Annual Review.
As 2024 draws to a close, the immediate global threat of ransomware remains, so we’d urge companies to be more vigilant than ever when protecting against attacks. And, as we enter the holiday period, please stay secure and be mindful of the usual seasonal influx of scam and phishing emails which impact us all personally at this time of year.”
Download the November Threat Pulse
About NCC Group:
NCC Group is a people-powered, tech enabled global cyber security and software escrow business.
Driven by a collective purpose to create a more secure digital future, c2,000 colleagues across Europe, North America, and Asia Pacific harness their collective insight, intelligence, and innovation to deliver cyber resilience for over 14,000 clients across the public and private sector.
With decades of experience and a rich heritage, NCC Group is committed to developing sustainable solutions that continue to meet clients’ current and future cyber security challenges.