NCC Group details 153% spike in September ransomware attacks

NCC Group warned ransomware activity is increasing after researchers observed an alarming, record-setting volume of attacks last month with the emergence of new groups.

While August ransomware attacks had dropped to 390 attacks, NCC Group's September Threat Pulse report revealed September was the busiest month since July with a record number of hack and leak attacks. NCC Group tracks public data leak sites, used to pressure victims into paying, to compile its dataset.

NCC Group researchers attributed the September increase to the emergence of two new groups named LostTrust and RansomedVC as well as consistent activity across the board from established ransomware groups.

Those factors led to a 153% increase year over year from September 2022, with only 202 recorded attacks, to last month with 514 ransomware attacks. Researchers warned the alarming trend will likely persist.

"NCC Group predicts that it is highly probable that this pattern will continue and repeat itself in another year's time, as we have yet to observe evidence to the contrary," the company wrote in the report.

While September marked a record month for the number of ransomware attacks recorded in NCC Group's dataset, some of the more prolific ransomware groups were inactive. For example, the Clop ransomware group, notorious for extorting victims of the widespread MoveIT Transfer product attacks, did not make the dataset at all. NCC Group recorded three Clop victims in August and zero in September. However, that doesn't mean the threat is over.

"Following this hiatus, which is characteristic of the threat group, it would be wise to expect and prepare for a highly targeted mass-exploitation campaign soon," the report said.

Though new to the scene, LostTrust and RansomedVC made NCC Group's top 5 most active threat actor list. LostTrust came in second while RansomedVC, which emerged in late August and made recent headlines after claiming an attack against Sony, took the fourth spot.

Ian Usher, deputy global head of threat intelligence at NCC Group, said RansomedVC is particularly interesting because the group was previously an initial access broker. NCC Group saw a massive spike in access broker activity following the Colonial Pipeline Co. attack from 2021, but it has teetered off.

"There was a lot of noise in the ransomware landscape [with] concern about the government intervention. A lot of ransomware groups said, 'We'll stick away from ransomware," and that was followed by a big spike in access brokers, which I think is because it's a little safer," Usher said. "But the fact that [RansomedVC has] gone access broker to ransomware -- maybe they thought the bark was bigger than the bite in regards to law enforcement."

Two other emerging ransomware groups, Cactus and Trigona, also became more prominent in September. Cactus was first identified in March and has become known to exploit identified vulnerabilities in VPN appliances to gain initial access. Researchers warned Trigona operators are known to target the Zoho ManageEngine vulnerability, tracked as CVE-2021-40539.

The 3AM and CiphBit ransomware groups also contributed to a 76% increase in the quantity of double extortion ransomware groups NCC Group detailed last month. While the newcomers didn't make the top 10 most active threat actor list, they exhibited dangerous techniques.

"[3AM] favours the double extortion tactic, and it has initially been spotted in the wild when an affiliate failed to deploy LockBit's ransomware on a targeted network. This seems to be a novel approach not only indicating the independence of affiliates from operators but perhaps also paving the way for a new trend in ransomware attacks," the report read.

CiphBit stood out for how it encrypts files. NCC Group said operators add titles containing an ID unique to each victim along with the group's contact email address and an extension containing four randomly selected characters.

However, a consistent volume of attacks from all threat groups was the most notable aspect of activity NCC Group analysts observed in September. "This month, the top ten are jointly accountable for a total of 362 cases representing 70% of the monthly output, which also represents 93% of the output recorded in the month of August, when we saw a total of 392 cases," the report read.

Usher said NCC Group was taken a back by the volume of ransomware attacks it's seen last month and throughout the year. This quarter was the busiest in terms of ransomware activity that NCC Group saw since it started monitoring the threat three years ago.

Last year, researchers observed a plateau in activity. One possibility for the increase may be ransomware groups trying to keep up with Clop's alarming activity.

"We expected to see more of the same, maybe even a little dip as groups looked to other forms of financial gain. It's taken us by surprise a little bit," he said. "Clop had a massive spike utilizing MoveIT. But for whatever reason, the rest of the groups have just gone, 'OK, we'll match your numbers.' It's quite scary to see the volume of ransomware attacks month on month, and it's continuing to rise."

Despite coming in at number four as the most targeted sector, attacks against the healthcare industry skyrocketed last month. NCC Group calculated a rise of 18 attacks, which equals an 86% increase month on month. TechTarget Editorial's ransomware database also showed persistent attacks against healthcare in September, including one that forced New York-based Carthage Area Hospital and Claxton-Hepburn Medical to divert emergency room patients.