Global ransomware attacks decreased by 15% from March 2024,
following similar trends to 2023. Attacks dropped from 421 to 356 according to NCC Group's April Threat Pulse.
However, year-on-year ransomware attacks in April increased
by 1%, going from 352 in 2023 to 356 in 2024. The takedown of LockBit 3.0
earlier this year was likely a major contributor to this small increase.
Major threat actor shake-up
The ransomware landscape has proved turbulent this month.
Previously dominant Lockbit 3.0 lost pace, with a significant 60% drop in
attacks (23), following its takedown in February.
Play took the top spot with 32 attacks (14%), moving up the
ranks since the start of 2024 to become a significant player in the threat
landscape. Using double extortion tactics, Play ransomware exfiltrated data and
then encrypted systems, using the threatened data exposure to pressure victims
to pay.
Hunters moved from 8th position with 18 attacks
in March, to 2nd most prolific in April as it claimed 29 attacks
(12%), an increase of 61%, having taken over infrastructure and source code
from the defunct Hive ransomware group.
Ransomhub rounded up the top three with 27 attacks (11%).
The group has strict rules for affiliate conduct, in a move expected to
encourage increased payment from victims who watch other groups take payment
but not have their data decrypted.
Ransomware attacks in Europe down 35%
North America and Europe continued to dominate the total number
of regional ransomware attacks with over 80% of cases, continuing the trend for
2024.
North America experienced 15 fewer attacks in April. However,
the decline in attacks across continents has led to the proportion of attacks
increasing from 53% to 58%. Conversely, attacks in Europe decreased by 7% with
42 (35%) fewer attacks.
We expect a shift in trends in South America and Africa.
Whilst these regions were in fourth and seventh place respectively in April, A
recent report stated that developing nations have become a
"proving ground" to test the viability of new malware packages and attack
methodologies. So, Africa and South America may start to receive more attacks
over the year.
Industrials continue to dominate sector attacks
Industrials remains the most targeted sector since January
2021, having witnessed 116 attacks (34%) in April 2024, down 13 from the 129.
Despite the overall reduction in observed attacks,
Industrials claimed a higher proportion of all attacks in April (33%) than it
did in March (31%). This consistently high number of attacks stems from the
high number of vulnerabilities in these industries. Sectors such as production
and construction are more likely to pay ransomware actors for data or system
access to prevent disruption and downtime.
Coming in second, with 62 attacks (18%) was Consumer
Cyclicals. This was a reduction of 13 from the 75 attacks witnessed in March, a
reduction of just over 17%. This sector was the second most targeted every
month (with the exception of May when it came in third place). Threat actors target valuable customer data in sectors such
as hospitality and retail to use for future extortion.
Frequent members of the top ten most
targeted monthly sectors, Technology, 49 attacks (14%), and Healthcare, 29
attacks (9%), were in third and fourth place respectively.
Spotlight: Vultur Malware - A smart attack on smartphones
Fox-IT, part of
NCC Group, has released an in-depth breakdown of some newly found technical
features inside Vultur, a nefarious Android banking malware.
It was one of
the first Android banking malware families to include screen recording
capabilities and contains features such as keylogging and interacting with a
victim's device screen. Vultur mainly targets banking apps for keylogging and
remote control. ThreatFabric first discovered Vultur in late March 2021.
The authors
behind Vultur have now been spotted adding new technical features, which allow
the malware operator to further interact with the victim's mobile device
remotely. This involves interacting with the victim's screen in a way
that is more flexible compared to the use of AlphaVNC and ngrok.
Matt Hull, Global Head of Threat Intelligence at NCC Group,
said: "Despite the successful takedowns of major groups
like Lockbit, now is not the time to slow down efforts to protect against cyber
threats. The continuous rise of new and equally menacing threat actors,
alongside constant development of AI and emerging technologies, poses a unique
risk to society that we must collaborate globally to mitigate."
"The year-on-year rise in ransomware attacks is likely
linked to the explosion of AI, revolutionising how threat actors can operate.
However, it's not all doom and gloom. We should be adopting AI to fight against
these threats. But we need to act quickly so we don't end up playing catch up
to these threat actors."