Getty Images

NCC Group observes a drop in ransomware attacks -- for now

Changes in top ransomware-as-a-service groups like LockBit 2.0 and Conti accounted for the decline in activity, though NCC Group anticipates attacks will ramp back up.

While the number of ransomware attacks has plummeted since May, NCC Group warned enterprises that an uptick in the coming months might be imminent.

In the monthly threat report Thursday, NCC Group's threat intelligence team revealed an overall decrease in ransomware attacks for June, with the majority of the month's activity attributed to two ransomware as a service (RaaS) operations: LockBit and Black Basta. Conti, once a major player, all but vanished from the ransomware scene last month, with only one recorded incident.

The recent disbanding of Conti, known for the significant attack on the Costa Rican government in April, along with seasonal variations were two possibilities for the decrease in ransomware activity, according to the cybersecurity vendor.

"Continuing the recent trends on number of attacks carried out, the amount overall fell from 236 in May to 135 in June, representing a 42% overall decrease," NCC Group said in a blog post.

In addition to the shutdown of the Conti website in May, NCC Group attributed the reduction in activity to the retirement of LockBit 2.0 and its transition to LockBit 3.0 -- or LockBit Black, as the RaaS gang has dubbed it.

Total attacks carried out by LockBit decreased from 95 in May to 55 in June, but only four were published under the new alias, LockBit 3.0. Just last year, Conti and LockBit 2.0 accounted for more than half of the attacks against the industrial sector, according to research from Dragos. While the activity has now decreased, LockBit continues to target industrial sectors and remains the most prolific RaaS group by a landslide, with Black Basta a distant second.

But NCC Group anticipates that the respite won't last long, and new features of the LockBit 3.0 strain, including a bug bounty program, might make the threat even more dangerous.

"We expect to see LockBit's activity to increase to their former prevalence if not surpass it, as they employ their new variant and take advantage of their new extortion tactics and bug bounty scheme," the threat report read.

As for Conti, the once prominent group on the ransomware landscape was known for backing Russia during the Ukraine invasion, and for having its source code and private communications leaked shortly after by an anonymous security researcher. NCC Group observed a 94% decrease in Conti activity since May, with 17 attacks that month and only one in June. It attributed the sharp decrease to Conti disbanding, as well as former members integrating themselves with other, smaller ransomware groups.

"Going forward, it is likely that we will see a proportionate increase in activity from some of the smaller groups due to the assistance of Conti members," the June report read.

In the May threat report, NCC Group noted that those groups might include Black Basta and Hive. In addition, the report raised the possibility that Conti's current brand had come to an end, which is also supported by June's data.

Rebranding is a common RaaS tactic, and it appears that's what operators behind Conti could be doing. NCC Group linked the possible rebranding to the lower number of incidents observed in June, as members reestablish themselves. The report, however, warned that ransomware attacks will likely increase in the coming months as groups like LockBit and Black Basta regain focus.

Christo Butcher, global lead of threat intelligence for NCC Group's research and intelligence fusion team, said it's likely that the brand Conti will no longer be used.

"The people behind it and the threat they pose are likely to remain relevant, even if it's not yet clear exactly in what shape or form," Butcher said in an email to SearchSecurity.

While ransomware activity can vary seasonally, NCC Group examined data from last year and determined that the recent drop more likely stemmed from changes in the RaaS groups. When LockBit 3.0 becomes fully established, NCC Group expects the threat actor's volume of attacks will increase because its top targets remain industrials, consumer cyclicals and technology, "despite it being in a transitionary phase."

"Whilst a larger drop was observed between June (219) and July (159), it appears that the summer months of 2021 did not experience as greater decrease as we are witnessing now," the report read. "As such, whilst seasonal variation may affect the statistics this June, it is more likely that the changes we have observed to our key ransomware variants (Conti and LockBit2.0), are responsible."

Similarly, Matthew Olney, director of Talos threat intelligence, told SearchSecurity that Cisco Talos observed an overall reduction in security incidents since the beginning of the year. One possibility he brought up was the ongoing war in Ukraine.

"There's been a reduction in incident response cases and observed malicious behaviors, especially around ransomware. In terms of volume compared to last year, it's down enough for us to notice," Olney said.

Dig Deeper on Threats and vulnerabilities