SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

New threat actors drive record levels of ransomware attacks in September

Thu, 26th Oct 2023
FYI, this story is more than a year old

September saw record levels of ransomware attacks, according to NCC Group's September Threat Pulse, with 514 victims details released in leak sites. 

The data represents a 153% year-on-year increase from last September and breaks the record set in July 2023, which had previously held the top spot (502 attacks). 

New threat actors contribute to record levels and climb to top five ranking 

Recently formed threat actor LostTrust ranked as the second most active group, responsible for 53 (10%) of all attacks, with another new group - RansomedVC in fourth place with 44 (9%) attacks. LostTrust is believed to have formed in March this year, with activity now coming to light in September. The group has adopted similar methods of double extortion used widely by more established threat actors. 

Well-established threat actors remained active in September, with Lockbit retaining its August top spot. With new threat actors emerging and following the decrease of its activity in August, Clop was only responsible for three ransomware attacks in September. 

Ransomware attacks increasing in the West

In line with previous months trends, North America continued to be the most targeted region for ransomware attacks, with 258 attacks in September. Europe remained the second most targeted region with 155 attacks, followed by Asia in third place with 47. 

However, September saw the targeting of North America and Europe increase by 3% and 2% respectively, whilst attacks in Asia decreased by 6% from August. This indicates a growing focus from threat actors on targeting Western regions.

Attacks on healthcare sector ramp up

In September, Industrials continued to experience the highest volume of attacks 40% (19), followed by Consumer Cyclicals with 21% (10) and Healthcare 15% (7). The continued targeting of Industrials is unsurprising given that the theft of Personally Identifiable Information (PII) and Intellectual Property (IP) remain attractive motivators for threat actors. 

The Healthcare sector experienced a significant increase in ransomware attacks. It witnessed 18 attacks, marking an 86% month-on-month increase from August. However, the increase is in line with trends in earlier months this year, suggesting that the dip in August was an anomaly to the overall trend. Healthcare continues to be an attractive target for threat actors because of the financial impact that a ransomware attack on companies in the pharmaceutical industry can have.

Spotlight: New threat actor RansomedVC on the rise

The record levels of ransomware attacks are partially the result of the emergence of new threat actors including RansomedVC. Like 8Base and other well-established organisations, RansomedVC operate as penetration testers. However, its approach to extortion also incorporates the claim that any vulnerabilities discovered in their targets network will be reported in compliance with Europes General Data Protection Regulation (GDPR). 

RansomedVCs innovative approach increases the pressure on victims to meet ransom demands. Financial incentives for paying the ransom are heightened, as GDPR allows for fines of up to 4% of a victims annual global turnover. 

Using these methods, the group claimed responsibility for the attack on Japanese electronics company, Sony, on 24th September. As part of the attack, RansomedVC compromised the company's systems and offered to sell stolen data. Successful targeting of a major global company such as Sony is indicative of the wide impact RansomedVC is having, likely to be a group that remains active over coming months. 

"After the drop in ransomware attacks in August, the surge in attacks during September was somewhat anticipated for this time of year," says Matt Hull, Global Head of Threat Intelligence at NCC Group.

"However, what stands out is the volume of these attacks and the emergence of new threat actors who have been major drivers of this activity," he says.

"These groups, including the likes of LostTrust, Cactus, and RansomedVC, are noteworthy for their approach: adapting existing ransomware techniques and introducing their own variations to add pressure for victims," says Hull. 

"We have witnessed a growing number of groups utilising the double extortion model as a strategy, piggybacking off this as a successful method used by more established threat actors. New threat actors are also increasingly embracing Ransomware as a Service (Raas) model, whilst diversifying their activities and creating unique selling points."

Hull says the influx of new groups is evidence of the evolving nature of global ransomware attacks.

"There's a focus on ramping up pressure on victims, a tactic successfully employed by the likes of RansomedVC, as we saw with its attack on Sony last month," he says.

"It is likely that well see other new groups explore these methods of increasing pressure on victims to comply with other variations of RaaS in the coming months."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X