NCC Group Monthly Threat Pulse – Review of October 2024

Ransomware attacks rise as geopolitics continues to influence activity

•    Total ransomware cases in October were 19% higher month-on-month, at 486 attacks.
•    Ransomhub maintains top spot, responsible for 14% of attacks by the top 10 threat actors.
•    Industrials remain most targeted sector, accounting for 30% of attacks.
•    North America and Europe accounted for 76% of all cases globally.

October 2024 – Global levels of ransomware attacks increased both month-on- month, and year-on-year. There was a total of 486 attacks, according to NCC Group’s October Threat Pulse, which marks an increase from September’s figures of 407 and October 2023’s figures of 341. 

RansomHub reigns supreme  

RansomHub held its top spot as the most active threat actor this month with 68 attacks, down by 8% from the previous month’s 74 incidents. In October, a ransomware attack targeted a Mexican airport operator managing 13 airports nationwide, forcing them to operate on backup systems. The incident highlights the disruption that ransomware attacks can have on Critical National Infrastructure (CNI), and the tangible offline consequences of such attacks.

Play maintained second position with 53 attacks, followed by Killsec in third with 34 attacks, and Sarcoma in close fourth with 31 attacks. 

North America and Europe are targets for over three quarters of attacks 

North America remained the most targeted region, accounting for 56% of total global attacks (272) a noteworthy increase from 233 in September. Russian-sponsored threat actors were active in the run-up to the US election, evidenced by North America being the target of over half of total attacks. Europe followed with 20% of attacks (97). 

Asia faced a notable rise, with attacks climbing from 46 in September to 68 in October, and South America decreased by one with 20 attacks. Attacks in Oceania increased from 8 in September to 14 in October, and Africa remained the same at 5 across both months. 

Focus on Industrials sector unwavering

The Industrials sector remained the most targeted sector. Rising by 45 attacks from September, it accounted for 30% (148) of attacks in October. The figures demonstrate the ongoing focus of threat actors on Critical National Infrastructure (CNI). In second place is Consumer Discretionary with 100 attacks, and in third position, Healthcare with 55 attacks. 

Ransomware Spotlight: Casio Ransomware Attack by Underground

On October 8, 2024, Casio confirmed a ransomware attack by the Underground group, leading to unauthorised data access and theft. Underground has been linked to Russian cybercrime group Storm-0978 (RomCom), who are also suspected to conduct attacks on behalf of the Russian State. The breach targeted personal information of employees, job candidates, and business partners, but no credit card information or essential services like CASIO ID were compromised. The attack caused system outages and disrupted services, particularly in Japan. 

The attackers used double-extortion tactics, encrypting and extracting data to demand ransom. The exact entry point is unknown, but vulnerabilities like CVE-2023-36884 in Microsoft Office may have been exploited. Two weeks post-attack, Casio struggled to restore systems, affecting order processing and shipments. This incident underscores the critical need for timely patch management to prevent such breaches.

Matt Hull, Head of Threat Intelligence at NCC Group, said:

"With material political events on the horizon in October, it’s no surprise that we are witnessing an increase in the overall volume of cybercrime activity. Geopolitical motivations like the US election showed that nation states, such as Russia, continue to have heavy influence on global volume of cyber attacks. Overall, the consistent threat to Industrials as the most targeted sector, again highlights the necessity of vigilance for CNI. 

“The data shows that are witnessing changing dynamics of the threat landscape, with nation-states and organised crime groups increasingly collaborating. As different threat actors leverage each other’s resources, it is crucial for organisations to ensure that they’re on top of fundamental security practices such as password management, endpoint security, and Multi-Factor Authentication.

“As demonstrated through the focus on CNI, attacks are becoming less random and more targeted to organisations that will experience maximum impact. Those who rely on ‘up-time’ and hold large amounts of intellectual property or personally identifiable information are high-value targets.”

Access the monthly Threat Pulse reports