Ransomware attacks take slight dip in 2022...
...as threat actors evolve and explore new tactics – NCC Group Annual Threat Monitor Report
· Ransomware attacks decrease 5% in 2022 (2,667 in 2021 to 2,531 in 2022)
· Industrials sector was the most targeted by criminal gangs for second year running
· North America (44%) and Europe (35%) most targeted regions
· DDoS incidents and business email compromise (BEC) both take a larger share of attack types as threat actors explore triple extortion methods
· Turbulence in threat landscape reflects wider grapple with major conflicts and global economic uncertainty
February 7, 2023 – Global cyber security and risk mitigation expert NCC Group monitored a slight decrease of 5% in ransomware attacks between January – December 2022 with 2,531 attacks, according to its 2022 Annual Threat Monitor Report.
Although there were slightly less attacks than 2021, there was a notable surge in ransomware attacks between February and April, coinciding with the start of the Russia-Ukraine conflict when prominent threat actor LockBit ramped up activity.
Analysis from across 2022 continues to highlight ransomware operators as effective innovators willing to find any opportunity and technique to extort money from their victims with data leaks and DDoS being added to their arsenal to mask more sophisticated attacks.
Compiled by NCC Group’s Global Threat Intelligence team, the report details the events of 2022 and their impact on the cyber threat landscape, providing an overview of incidents across all sectors and highlighting global trends.
The insights are based on incidents identified by NCC Group’s global managed detection and response service (MDR) and its global cyber incident response team (CIRT).
Threat actor turbulence
LockBit claimed the ‘top spot’ for most active threat actor in 2022, responsible for 33% of all monitored ransomware attacks (846), a 94% increase on its 2021 activity (436 attacks). The group’s activity peaked in April with 103 attacks, ahead of the launch of a new ransomware software and rebrand to LockBit 3.0.
BlackCat accounted for 8% of the total attacks in 2022. With a quiet start in December 2021 (4 attacks), the group went on to average 18 attacks each month, with a peak of 30 incidents in December 2022. Leading threat actor of 2021, Russia affiliated, Conti reduced attack levels dramatically to just 7% of all recorded (21% in 2021), with no attacks monitored from June onwards. This reduction in activity coincided with the introduction of new group BlackBasta, believed to be associated with – or a replacement for – Conti.
The most targeted sectors in 2022 were Industrials* with 804 victim organizations (32%), followed by Consumer Cyclicals** with 487 (20%) and Technology*** with 263 (10%).
While this remains consistent with previous years, the report called attention to a relative 10% surge in victim numbers for ‘consumer cyclical’ organizations – namely hotel and entertainment, specialty retailers and homebuilding and construction supply retailers – and financial services. Meanwhile, Software & IT Services was the most targeted sector within Technology, which presents multiple opportunities to threat actors, from the theft of intellectual property to using victim companies for supply chain compromises.
North America and Europe suffered the most ransomware attacks in 2022. North America bore the brunt, with 44% of all incidents (1,106), a 24% decrease on 2021’s figures (1,447).
Europe observed 35% of all incidents, with an 11% increase in attack numbers, witnessing 896 in 2022 as compared to 810 in 2021. It was potentially influenced by surges in activity associated with the Russia-Ukraine conflict in the first half of the year.
Rise in DDoS and BEC attacks
The term 'ransomware’ originally referred to a type of software that encrypts data for the purposes of extortion. Then came double extortion which covered ransomware and then a subsequent leaking of sensitive data on a ‘leak site’– also known as ‘pay-now-or-get-breached’. Now prolific ransomware operators such as Lockbit 3.0 are using DDoS attacks to add even more pressure to a victim organization – known as triple extortion.
NCC Group observed 230,519 DDoS events across 2022 with an astonishing 45% targeted at the United States, 27% of which occurred in January.
This early surge in DDoS attacks and botnet-led breaches reflects greater turbulence within the wider cyber threat landscape, in part influenced by the Russia-Ukraine conflict. DDoS continues to be weaponized by both criminal and hacktivist groups as part of the conflict, alongside disinformation campaigns and destructive malware, to cripple critical national infrastructure in Ukraine and beyond.
Often garnering less attention than their ransomware counterparts business email compromise (BEC) attacks are clearly a growing threat organizations must pay attention to, and represented 33% of all incidents observed by NCC Group’s Cyber Incident Response Team (CIRT).
Matt Hull, NCC Group’s Global Head of Threat Intelligence, commented: “2022 was another year that kept us on our toes. The threat landscape has been heavily influenced by the conflict between Russia and Ukraine, with a whole arsenal of offensive cyber capabilities, from DDoS to malware, deployed by criminals, hacktivists, and even other nations. Though perhaps not the ‘cybergeddon’ that some expected from the next big global conflict, we are seeing state-sponsored attacks ramp up with cyber warfare proving to be critical in this hybrid cyber-physical battlefield.
“Despite this slight dip in ransomware attacks, this does not mean we collectively declare ‘job done’. Indeed, this decline in attack volume and value is probably in part due to an increasingly hardline, collaborative response from governments and law enforcement, and of course the global impact of the war in Ukraine. As a result, we have witnessed several coordinated operations in 2022 that saw arrests of key members of prolific cyber-criminal operatives, as well as the disbanding of long established groups. Least of all Conti, which was 2021’s most active group.
He continued: “Looking ahead to 2023, we expect bad actors to focus their attention on compromising supply chains, bypassing multi factor authentication (MFA) and taking advantage of misconfigured APIs. The threat will persist and organizations must remain vigilant, understand how they could be exposed and take steps to mitigate any risk.”
Keep up to date with our latest insights
Never miss a threat intelligence update - sign up to receive our monthly insights into the emerging advances in threat landscape and for our Threat Monitor webinars here.
About NCC Group
NCC Group exists to make the world safer and more secure. As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers to protect their most critical assets from the ever-changing threat landscape. With the company's knowledge, experience, and investment in research and innovation, it is best placed to help organizations assess, develop and manage their cyber resilience posture. With circa 2,000 colleagues in 12 countries, NCC Group has a significant market presence in North America, Europe and the UK, and a rapidly growing footprint in Asia Pacific with offices in Australia, Japan and Singapore.