top of page
  • Writer's pictureKelsie Papenhausen

Ransomware Threat Remains at High Level

· April saw the second highest volume of attacks ever recorded by NCC Group’s Global Threat Intelligence team

· The top three most active threat actors – Lockbit 3.0 (107), BlackCat (50), and BianLian (46) all increased activity in April

· Industrials (32%), Consumer Cyclicals (11%) and Technology (11%) were the most targeted sectors

· Regional data shows North America (50%) as most targeted region, followed by Europe (24%) and Asia (10%)

The volume of ransomware attacks remained at record highs with 352 attacks in April, the second-highest month on record, according to the latest analysis from NCC Group’s Global Threat Intelligence team.

April’s high level of activity, largely attributed to the top three threat actors, is only surpassed by March’s figures of 459 attacks, which was the result of Cl0p’s exploitation of the GoAnywhere MFT.

Threat actors

In April, the top three most-active threat actors, Lockbit 3.0, BlackCat, and BianLian were responsible for 58% of all ransomware activity monitored.

Lockbit 3.0, the most active threat group of 2023, launched 107 out of the 352 attacks monitored, a 10% increase from March. BlackCat (50) and BianLian (46) increased their activity by 67% and 59%, respectively. BlackCat’s attack on digital storage device giant, Western Digital garnered significant attention, with the group claiming to have stolen 10 terabytes of data and demanding an 8-figure ransom.

Akira, a new ransomware player that NCC Group’s Global Threat Intelligence team believes to be independent from other well-known groups, made it into the top ten most active groups for the first time, targeting enterprises across a diverse range of industries, from construction to real estate.

Meanwhile, ransomware-as-a-Service (RaaS) provider Cl0p reduced their activity by 98%, from 129 victims in March, to 3 in April. This is likely the result of patches being applied for the GoAnywhere MFT day-zero vulnerability, exploited by the group and contributing to the high number of victims in March.


Repeating trends from last month's analysis, North America was the target of half of April’s ransomware activity with 172 attacks (50%). Europe followed with 85 attacks (24%), then Asia with 34 attacks (10%).


In April, Industrials (32%) was the most targeted sector with 113 attacks, followed by Consumer Cyclicals (11%) with 39 attacks, and technology (11%) with 37 attacks.

Spotlight: PaperCut printer software vulnerabilities

This month, a duo of critical software vulnerabilities in the systems of print management software company, PaperCut (known as CVE-2023-27350 and CVE-2023-27351) take the spotlight, due to the volume of organizations that could be impacted, and the potential of the vulnerabilities for exploitation.

PaperCut works with more than 100 million users in over 70 thousand organizations in a variety of industries, including local government, healthcare, and education. Shortly after announcement of the vulnerabilities, search engine for internet-connected devices, Shodan indicated roughly 1,700 instances of software being exposed to the internet.

NCC Group’s Global Threat Intelligence team believes organizations yet to update their PaperCut software are already being targeted, as threat actors look to exploit the vulnerability on a global scale.

Matt Hull, global head of Threat Intelligence at NCC Group, said: “We faced another record-breaking volume of ransomware attacks in April, demonstrating how the threat landscape is continuing to evolve at an alarming pace. The recent attack by BlackCat on Western Digital’s network is a prime example of the increasingly malicious nature of these activities, and we believe that this kind of malicious effort – leaking data to encourage ransom payments, known as a double-extortion ransomware attack – is on the rise.

“As we see these growing levels of activity, organizations should remain vigilant and adapt their security measures to stay one step ahead, adopting a comprehensive and multi-layered defence strategy that is malleable to a changing threat landscape,” he continued. “Simple measures such as ensuring patches, as seen with the latest PaperCut vulnerabilities, can often mitigate these risks considerably.”


bottom of page