Ransomware defies seasonal trends with increase

Ransomware operators are back with a vengeance this summer, as monthly attack volumes are increasing at a time when they normally tail off.

That's according to research from consulting firm NCC Group, whose Strategic Threat Intelligence group logged a 47% month-over-month increase in ransomware attack incidents for July. Researchers saw 198 ransomware attacks occur, an increase from June's 135 attacks.

NCC Group analysts believe the increase in attacks is down to the return of some high-profile ransomware groups that had previously been lying low. With their ranks replenished and strategies refined, those groups came out of hiding in July with a vengeance.

"Following the considerable decrease from May to June (from 236 to 135), it is likely that the threat actors that were undergoing structural changes, such as the Conti operators and LockBit, have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction," the NCC Group analysts explained.

In addition to the return of Conti and LockBit, July saw the rise of some emerging ransomware operations. In particular, HiveLeaks ransomware operators stepped up their efforts during a month that saw ransomware attacks go from five in June to 23 in July. This was enough to boost HiveLeaks from seventh to second place in terms of monthly attacks.

LockBit 3.0 remained the most popular ransomware variant, ahead of HiveLeaks. Black Basta ransomware was third, while Alphv and Clop rounded out the top five.

As to the targets of the attacks, industrial industries were by far the most popular, with professional and commercial services being the favored victims, followed by construction and engineering operations. NCC Group analysts said ransomware operators are drawn to the massive attack surfaces offered by most industrial networks.

"Industrials is a sector that continues to be heavily targeted and successfully compromised due to its broad range of industries within, the costliness of operational disruption, and its vast distribution of operational technology and legacy systems," NCC Group explained.

In addition to seeing overall attack levels increase month-to-month, July came in as a sharp year-over-year increase, with the 198 recorded attacks serving as a marked increase from the 159 logged in July 2021.

The jump also marks a departure from what had been a pretty reliable seasonal trend of ransomware levels dropping from May and June into July. The analysts noted that the change might not be a one-time fluke.

"As July's increase takes place just after Conti's integration into alternative ransomware groups (such as Black Basta) and LockBit's third metamorphosis, it is likely that this year-on-year disparity is as a result of this," NCC Group analysts explained. "No such activity was taking place in 2021, and as a result, June-July of 2021's figures were possibly representative of general seasonal changes in activity."