SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
NCC finds ransomware attacks remain at record highs
Tue, 23rd May 2023

April saw the second highest volume of attacks ever recorded by NCC Group’s Global Threat Intelligence team. With the top three most active threat actors, Lockbit 3.0 (107), BlackCat (50), and BianLian (46), all increasing activity in April.

Industrials (32%), Consumer Cyclicals (11%) and Technology (11%) were found by NCC to be the most targeted sectors. In addition, regional data shows North America (50%) as most targeted region, followed by Europe (24%) and Asia (10%).

The volume of ransomware attacks remained at record highs with 352 attacks in April, the second-highest month on record, according to the latest analysis from the Threat Intelligence team.

April’s high level of activity, largely attributed to the top three threat actors, is only surpassed by March’s figures of 459 attacks, which was the result of Cl0p’s exploitation of the GoAnywhere MFT. 

Threat actors

In April, the top three most-active threat actors Lockbit 3.0, BlackCat, and BianLian were responsible for 58% of overall ransomware activity monitored in April.

Lockbit 3.0, the most active threat group of 2023, launched 107 out of the 352 attacks monitored, a 10% increase from March. BlackCat (50) and BianLian (46) increased their activity by 67% and 59% respectively.

BlackCat’s attack on digital storage device giant, Western Digital, garnered significant attention, with the group claiming to have stolen 10 terabytes of data and demanding an 8-figure ransom.

Akira, a new ransomware player that NCC Group’s Global Threat Intelligence Team believes to be independent from other well-known groups, made it into the top ten most active groups for the first time, targeting enterprises across a diverse range of industries, from construction through to real estate.

Meanwhile, ransomware-as-a-Service (RaaS) provider Cl0p reduced their activity by 98%, from 129 victims in March, to 3 in April. This is likely the result of patches being applied for the GoAnywhere MFT day-zero vulnerability, exploited by the group and contributing to the high number of victims in March.

Spotlight: PaperCut printer software vulnerabilities

This month, a duo of critical software vulnerabilities in the systems of print management software company, PaperCut, known as CVE-2023-27350 and CVE-2023-27351 take NCC's spotlight, due to the volume of organisations that could be impacted, and the potential of the vulnerabilities for exploitation.

PaperCut works with more than 100 million users in more than 70 thousand organisations in a variety of industries, including local government, healthcare, and education.

Shortly after announcement of the vulnerabilities, search engine for internet-connected devices Shodan indicated roughly 1,700 instances of software being exposed to the internet.

NCC Group’s Global Threat Intelligence team believes organisations yet to update their PaperCut software are already being targeted, as threat actors look to exploit the vulnerability on a global scale.

Matt Hull, Global Head of Threat Intelligence at NCC Group, says, “We faced another record-breaking volume of ransomware attacks in April, demonstrating how the threat landscape is continuing to evolve at an alarming pace.

"The recent attack by BlackCat on Western Digital’s network is a prime example of the increasingly malicious nature of these activities, and we believe that this kind of malicious effort - leaking data to encourage ransom payments, known as a double-extortion ransomware attack - is on the rise.

“As we see these growing levels of activity, organisations should remain vigilant and adapt their security measures to stay one step ahead, adopting a comprehensive and multi-layered defence strategy that is malleable to a changing threat landscape. Simple measures such as ensuring patches, as seen with the latest PaperCut vulnerabilities, can often mitigate these risks considerably.”