IceFire, a relatively new ransomware gang, emerged in the top three most active threat groups that NCC Group observed last month.
The significant change was highlighted in NCC Group's "Monthly Threat Pulse" report Tuesday, where the threat intelligence team tracks ransomware activity including top threat groups and targeted sectors. Despite a reported 19% decrease in total ransomware attacks in August, IceFire was busy.
Not only did the ransomware group make its debut on NCC Group's top 10 list of reported threat actors, but it came in third, amassing 10 victims. The report noted that IceFire ransomware attacks had been deployed against English-speaking victims.
LockBit 3.0 maintained its top spot, accounting for 40% of all activity, while Black Basta moved from third to second, compared with July's ransomware activity.
"LockBit appear to be the only consistent presence in the threat landscape in August (from 62 attacks in July to 64 in August)," NCC Group said in the report.
As for the outlier, IceFire was first observed in March, according to the report, which also noted that its tactics, techniques and procedures align with most threat groups that compromise email or websites with the initial payload before deploying ransomware.
Security research collective MalwareHunterTeam initially tweeted about the new IceFire ransomware strain on March 14 and confirmed the rapid collection of victims. Similar to other groups, IceFire also requests ransom demands to be paid in Monero.
Another new ransomware just appeared: IceFire.— MalwareHunterTeam (@malwrhunterteam) March 14, 2022
Already seen victim companies from multiple countries, including multiple victims from 1-1 countries in the past < 40 hours, so they started "hard" it seems...@demonslay335 pic.twitter.com/QfguAicNYO
On Aug. 16, the collective stated that the gang had created a public leak site -- commonly used to pressure victims into paying ransom -- but referred to the page as "a bit unusual/strange." One irregularity it highlighted was the listing of multiple web hosting companies.
In addition, MalwareHunterTeam shared a message posted to the leak site that read, "This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor." It has become common for ransomware groups to act as a legitimate business and claim they are testing an organization's security posture.
On Sept. 2, MalwareHunterTeam tweeted about apparent changes with the ransomware, as IceFire version 1.20 added a "make a proof" feature that requires victims to pay to test file decryption. "Most of (or all?) serious gangs provide free decryption to test/verify they are able to decrypt, so..." MalwareHunterTeam wrote.
Now, it appears the gang might be ramping up its attacks.
Disbanded Conti contributes to decrease
While NCC Group observed a considerable and unexpected rise in IceFire activity, other groups' activity declined. HiveLeaks, which was the second most active attacker in July with 27 victims, fell to No. 7 last month. Threat analysts attributed the overall decrease in ransomware attacks for August to HiveLeaks as well as Alphv, which "exhibited significant drops in their activity."
The decline was also noteworthy because of the sharp increase in July, when activity rose nearly 50% compared with June. However, the statistics are even more significant when compared year over year.
In August 2021, NCC Group observed a nearly 100% increase in ransomware activity as Conti rose to prominence and claimed a total of 146 victims. Between July and August 2021, attacks rose from 159 to 309. Last month, attacks fell from 198 to 160. The disbanding of Conti played a primary role, according to the security vendor.
"Given that Conti are no longer operational as a ransomware gang but have instead diffused into other smaller groups, they are likely no longer contributing to the threat landscape in such a concentrated fashion, thus resulting in the year-on-year disparity from 2021 and 2022," the report read.