top of page
  • Writer's pictureKelsie Papenhausen

NCC Group Monthly Threat Pulse – December 2022

Hackers remain active over the festive break, while new threat actor comes into ‘Play’

  • December saw 269 ransomware attacks, a small increase (2%) from November (265)

  • Lockbit 3.0 reclaims first place as most active attacker with 56 attacks (19%)

  • Industrials (25%) and Consumer Cyclicals (20%) remain top most targeted sectors, with Technology (11%) experiencing a further increase from November of 21%

  • Regional data follows the same trend as previous months: North America (45%), Europe (27%), Asia (12%)

  • Threat actor Play emerges with an interesting presence in the government sector

Analysis from NCC Group’s Global Threat Intelligence team has revealed there were 269 ransomware attacks in December, a small increase (2%) compared to November (265).

Though only a small increase from the previous month, the total amount is higher than expected based on previous evidence of a slow down in operations over the end of year period – the same period last year observed a 37% decrease from November to December.

Threat actors

This month, Lockbit 3.0 regained its leading position accounting for 19% of attacks, followed by BianLain (12%) and BlackCat (11%), which seemed to actively increase operations over the period.

NCC Group expects Lockbit 3.0 to remain at the top spot for the foreseeable future after seeing the group fall to third place in November. Its most targeted sectors remain largely similar to those of previous months with little deviation; Industrials (30%), Consumer Cyclicals (14%), and Technology (11%).

BianLain, first spotted in July 2022, was the second-most prevalent threat actor of this month, with victims in Education, Technology, and Real Estate sectors. As its variant is written in Go Language (Golang), an open-source programming language, BianLain is able to encrypt victim devices with alarming efficiency - making it a particularly dangerous variant.

BlackCat remained ever-consistent in its operations, contributing 30 attacks this month. Its activity surged by 100% in December (from 15 to 30 attacks), the highest number of attacks BlackCat has undertaken in a single month. This activity could again reflect the holiday period, with the group capitalising on businesses taking a festive break.

NCC Group expects to see further fluctuation between top threat actors in 2023, as groups compete to dominate the landscape.


Across the globe, North America was the target of 120 ransomware attacks (45%), making it the most targeted region, followed by Europe with 72 attacks (27%), and Asia with 33 attacks (12%).


Looking at this month’s sector trends, Consumer Cyclicals (44%) and Industrials (25%), remain the top two most targeted sectors for ransomware attacks. Technology (11%) experienced 34 ransomware incidents, a 21% increase from the 28 attacks reported in November.

Spotlight: New Threat Actor comes into ‘Play’

This month, Play – a threat actor first discovered in July 2022 – claims the spotlight following recent activity displaying a particular interest in the government sector with four victims (15%), rarely seen with ransomware groups due to the law enforcement crackdown that it incites.

Play ransomware became known due to the ‘.play’ extension included in encrypted files and having ransom notes simply containing the word PLAY, alongside an email to contact the threat actor. Online reports state the threat actor is largely associated with targeting government entities within the Latin America region, further hinting that this is a priority target for the group.

Analysis has shown parallels between Play, Hive and Nokoyawa ransomware variants, including similarities in file names, and file paths of their respective tools and payloads. The team at NCC Group will keep a closer eye on these variants to determine if they are truly similar.

Matt Hull, Global Head of Threat Intelligence at NCC Group, commented: “Although December saw some stability in the volume of ransomware attacks, this was a deviation from what we normally observe. Over the seasonal period we have come to expect a downturn in volume of attacks, as demonstrated by the 37% decrease at the same time last year.

“In terms of the most prevalent threat actors, Lockbit 3.0 re-established itself in first position, with BianLain and BlackCat following closely behind. Meanwhile, we saw threat actor Play re-emerge on the scene with a string of attacks aimed toward Government bodies. Although we assume there are similarities between Play, Hive and Nokoyawa in their activity, we will continue to monitor this closely to confirm whether this is the case.”


bottom of page