LockBit, the largest and most prolific ransomware group in the world this year, saw its activity plummet last month.
Researchers with infosec consultancy GuidePoint Security said that during October, ransomware attacks attributed to LockBit were down 49%. The drop helped to drive a 7.3% overall decline in ransomware attacks for the month.
The GuidePoint monthly report showed that the decrease was extremely top-heavy, and surges in activity from a number of smaller ransomware families helped to partially cancel out the decline from LockBit, which recently saw one of its alleged members arrested in Canada.
Due to its dominance of the ransomware space, LockBit remains by far the most prolific ransomware as a service (RaaS) operation even after its monthly lapse, still accounting for more than half of all reported infections in GuidePoint's report.
Nic Finn, threat intelligence consultant at GuidePoint, told TechTarget Editorial that the decline is not likely to be due to any sort of internal strife or organizational problems at LockBit. Rather, it's a product of decreased activity from the affiliate hackers that actually spread the malware.
Finn explained that while there's no way to be sure what exactly caused the dip, one possible factor might be LockBit's relatively stringent rules for affiliate hackers.
"LockBit has strict policies against running their tools against healthcare and against some certain countries," Finn explained. "Some of these affiliates might not be getting a better deal, but they are transitioning toward organizations that let them target specific industries and get a better bounty."
One point in support of this theory is a recent rise in attacks on healthcare companies. The sector climbed to the No. 2 spot, behind manufacturing and ahead of education.
In addition to LockBit's decreased activity, GuidePoint researchers also noticed an unusually high number of ransomware gangs going dark in October, with some groups shutting down their sites completely. Ransomware gangs that apparently shut down include Cheers, which emerged earlier this year, and Sparta, which first launched attacks just last month.
"It was definitely anomalous to have that many groups go offline at the same time," Finn said. "It is one thing to go silent with their posts, but we saw a couple groups shut down their sites as well."
Unfortunately, where attacks from LockBit and the other groups declined, GuidePoint reported that eight of the smaller RaaS operations increased their attacks by five or more victims for the month.
The GuidePoint team found that groups with an increase in activity included Alphv (79%), Black Basta (32%) and BianLian (367%). This helped to keep attack rates fairly high and limited the overall dip in activity to just over 7%.
While the numbers could indicate changes in the ransomware landscape, one month is a very small sample size for analyzing activity. GuidePoint said quarterly reports and larger time frames will provide a better picture of the landscape.