Freely subscribe to our NEWSLETTER

Analysis from NCC Group’s Global Threat Intelligence team has revealed there were 165 ransomware attacks in January, a 38% decrease from December 2022.

Though a significant drop from the previous month, the total is the highest volume of attacks recorded in January over the last three years, (January 2021- 127 attacks, January 2022- 120 attacks) – an indication of the growing prevalence of ransomware attacks generally, as the threat landscape continues to evolve.

Threat actors

In the first month of this year, Lockbit 3.0 retained its position as top threat actor, with 50 victims (30%), followed by Vice Society (13%) and Blackcat (12%) who have remained consistent in their operations.

Following their evolution from Lockbit 2.0 into Lockbit 3.0 halfway through last year, the threat actor was responsible for 50 attacks in January, with its most targeted sectors being Industrials (32%), Consumer Cyclicals (16%), and Technology (14%) organisations.

Vice Society, believed to be a Russian RaaS ransomware group, was the second most prevalent threat actor this month and, in-line with its previous activity, targeted the Academic and Educational Services (45%) sector more than any other in January.

Vice have historically been one of the main ransomware groups that target universities with extortions, from the theft of student and staff’s personally identifiable information, to the theft of research that can be sold to other organisations.

BlackCat, no stranger to the threat actor spotlight, claimed third place this month after accounting for 12% of overall attacks. Aligning to previous trends, Industrials (25%) was their most targeted sector, followed by Basic Materials (15%), Healthcare (15%) and Consumer Cyclicals (15%).

Regions

In-line with previous months, North America was the target of 68 attacks (41%), closely followed by Europe with 56 attacks (34%), and Asia with 19 attacks (12%).

Sectors

Looking at this month’s sector trends, Industrials (30%) took the lead as most targeted sector, followed by Consumer Cyclicals (15%). For the first time in a year (since January 2022), Academic and Education Services (11%) overtook the Technology and Government sectors, in large part due to threat actor Vice Society’s spike in activity, as it was responsible for 10 of the 18 attacks recorded (56%).

Spotlight: Threat actor AcridRain resurfaces with revamped infostealer

This month, threat actor AcridRain claims the spotlight after its new malware enterprise, first launched in October 2022, has begun gaining traction. The new iteration of the malware is one to look out for, as it rebrands itself to fit the current ’market’ standard functionality of info stealers, allowing the threat actor to refocus on targeting cryptocurrency and crypto wallets specifically, renting out stealer software to other actors.

The threat actor leads a team of programmers with several sub-specialisations that are leased for malware development projects. Its team possesses a large business deposit on the underground platforms, indicating to NCC Group’s Global Threat Intelligence team that this is a medium sized, planned, and funded operation.

NCC Group expects AcridRain to evolve further and develop its operations, capability, and reach over the coming months.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: "January observed a steady amount of ransomware attacks, which is close to what we expect for this period of the year. Having said that, the total volume of ransomware attacks recorded this month is higher than we’d normally see in January, an indication of how ransomware attacks are on the rise generally.

"In terms of the most prevalent threat actors, Lockbit 3.0 held onto first position as predicted, whilst Vice Society and Blackcat had an active start to 2023. It’ll be interesting to see how that evolves over the coming months, and whether Lockbit will remain ahead of the rest. Threat actor Acrid Rain’s re-emergence is one that those handling crypto and other digital asset sectors in particular should look out for, as this continues to be an attractive target for ransomware groups."