Lockbit 3.0 Ransomware Gang Emerges as Leading Threat Actor

The organized cybercriminal group behind Lockbit is becoming more effective. Now known as Lockbit 3.0, the gang surged to the top among threat actors in August, registering 64 incidents – 40% of all ransomware attacks recorded for the month. And it wasn’t just the volume that makes it important: The group continued its streak of undesirable innovation with a new triple extortion model, along with novel methods of ransom payments.

That’s among the findings in NCC Group’s Monthly Threat Pulse for August 2022, which also reported an overall 19% drop in the number of ransomware attack victims, from 198 in July to 160. This is noteworthy because there had been a 47% spike from June to July, but the current drop may be attributable to the disbanding and departure of Conti, a previous leader among threat actors.

IceFire Enters the Scene

While there are always new and old variants in the mix, one surprise came from IceFire, a group that only entered the scene recently and yet accounted for 10 victims – ahead of more familiar names such as ALPHV and Hiveleak. We don’t yet know much about IceFire, but its effectiveness suggests that there are experienced parties involved.

Sandworm Targets Ukrainian Installations

Ransomware isn’t the only danger on the horizon: Among other entries in the threat matrix, an advanced persistent threat group known as Sandworm grabbed attention with global espionage and destruction campaigns. The group, which is often focused on industrial control systems in the energy sector, has lately zeroed in on installations in Ukraine.

Related:Ransomware Security for IT Pros: 2022 Report

Sandworm seems aligned with Russian foreign policy. As there is always strong competition between groups in the Russian intelligence apparatus for resources and personnel, the Sandworm team could be advancing its relative position to the other Russian intelligence agencies by undertaking high-risk/high-reward operations.

Most Targeted Regions, Industries

From a geography perspective, there hasn’t been much of a change in hackers’ favorite targets. North America held the lead in August, as it did in July, with 45% of all attacks, while Europe was not far behind, with 40%. Asia accounted for 9% of all attacks.

Similarly, in terms of sectors, industrials remained far ahead with 55 incidents, or 34% of all attacks. Consumer cyclicals came in 18%, and the technology sector saw 14% of attacks.

The NCC Group monthly report tracks ransomware groups by gathering information on ransomware data leaks on the dark web in real time. This research leads to insights around who the victims are, which sectors are being targeted, and the most popular modes of attack.