Global ransomware attacks dip below average in June 2024

In June 2024, global levels of ransomware attacks fell below the average number recorded for the year for the first time since January. According to NCC Group's June Threat Pulse, a total of 331 ransomware attacks occurred during the month.

The decline represents a significant reduction compared to prior months in 2024. Experts suggest that increasing international law enforcement efforts to combat ransomware groups have made major players increasingly cautious.

LockBit 3.0 saw a substantial drop in activity, with only 11 recorded attacks in June. This decline is likely the outcome of concerted law enforcement actions aimed at dismantling the group. Play emerged as the most active threat actor with 35 attacks, followed by RansomHub, which logged 27 attacks. There is speculation that RansomHub's surge may be linked to recent reports from Microsoft, indicating that Octo Tempest, also known as Scatter Spider, has integrated RansomHub and Qilin into its operations.

Additional data reveals that Akira RaaS ranked third with 20 attacks, while Cactus was responsible for 18 attacks during the month. Activity levels for other threat actors such as Medusa and BlackSuit remained consistent with previous months.

Despite the overall decrease in global attacks, North America remained the most targeted region, accounting for 52% of total global incidents (173). Europe followed with 27% (90 attacks), and Asia experienced 27 attacks, representing 11% of the total.

An analysis of the distribution of attacks across various sectors highlights a potential shift in cybercriminal strategies. The Industrials sector bore the brunt of the attacks, accounting for 32% of incidents in June. The Technology sector suffered 50 attacks, while Consumer Cyclicals faced 46 attacks. The Government sector recorded 10 attacks, marking a decline which may be attributed to the Operation Cronos crackdown on LockBit 3.0, a group that had previously been prominent in this sector.

Matt Hull, Global Head of Threat Intelligence at NCC Group, commented on the shifting landscape in June: "Overall, June's ransomware landscape was characterised by ongoing shifts, with LockBit 3.0's steep decline and Play remaining a formidable force in the threat landscape."

"The cyber threat landscape in the first half of 2024 has been marked by a series of significant events that have had a profound impact on global cybersecurity. We have seen major cyber incidents that have disrupted businesses, healthcare systems, and critical infrastructure across North America, Europe, and the Asia Pacific region," Hull added. "These incidents have ranged from data breaches to aggressive ransomware attacks, highlighting the evolving nature of cyber threats and the increasing capabilities of cyber adversaries. Equally, we've seen how external pressures on ransomware operations can significantly disrupt even the most prolific threat actors. These changes underscore how cyber security resilience must persist as a key priority for organisations across all industries."

Attention is particularly focused on the decline of LockBit 3.0. Law enforcement efforts, notably Operation Cronos, have significantly disrupted the group's activities. The group may be struggling to fully recover its operations, reportedly reposting data from old victims in a bid to portray invulnerability to law enforcement actions. LockBit 3.0's reduced presence has created a gap in the ransomware threat landscape, inviting speculation about whether the group can make a return or whether other ransomware groups will exploit the created void.

NCC Group has indicated that they will be updating their methods for data collection to enhance the quality and integrity of future reports. This change, effective from July 2024, will align business classification activities with the Global Industry Classification Standard (GICS) to provide clearer insights and usability of the data.