LockBit resurgence: Ransomware attacks hit record high in May

Ransomware attacks hit a record high in May, driven by a massive resurgence in LockBit ransomware attacks, according to a new report released today by NCC Group plc.

NCC Group’s 2024 Threat Intel report found that global ransomware attacks increased by 32% in May compared to the previous month. In April, 356 ransomware attacks were recorded, an increase of 470. Compared to May of the previous year, ransomware attacks increased by 8%.

The rise in ransomware attacks has been attributed to LockBit 3.0, the current incarnation of the notorious Lockbit ransomware gang. LockBit was briefly inactive following another so-called takedown by international law enforcement in February, but returned a week later and shot to the top of the ransomware leaderboard in May. It was responsible for 37% of all ransomware attacks that month. The number of LockBit ransomware attacks increased 665% from April to 176 in May.

LockBit shot to the top of the ransomware leaderboard, while the Play ransomware group fell to second place with 32 attacks – 7% of all attacks in the month. RansomHub came in third with 22 attacks, or 5% of all attacks in May.

Newcomers to the top 10 threat actors in May included Arcus Media, Underground, and dAn0n. DAn0n, which was first discovered in April and uses a double-tap extortion method, was blamed for 13 ransomware attacks in May. Underground, which also uses double-tap extortion, carried out 12 ransomware attacks during the month.

In May, 77% of ransomware attacks targeted organizations in North America and Europe. The report notes that an unusual increase in ransomware attacks was concentrated in South America. The continent accounted for 8% of attacks in May, 60% more than in April. Africa’s share of ransomware attacks also increased in the month, to 8% of all attacks, up from 3% in April.

By sector, industrial companies remain the most affected, a position they have held since January 2021. In May, 143 ransomware attacks targeted the industrial sector, up from 116 in April. The technology sector was second, with 72 attacks in May, up from 49 in the previous month. The consumer discretionary sector came in third, with 59 attacks, up from 62 in the previous month.

“After the takedown of LockBit 3.0 earlier this year, there was speculation that the group would simply disband, as we have seen with other threat groups such as Hive,” said Matt Hull, Global Head of Threat Intelligence at NCC Group. “However, the current increase in victim numbers suggests a different story. It is possible that despite the law enforcement action, LockBit has not only been able to retain its most experienced members, but also recruit new ones, indicating their determination to continue. The coming months will show whether LockBit can sustain the attack numbers seen in May.”

Image: SiliconANGLE/Microsoft Designer