News from the Wire

NCC Group: LockBit 3.0 no longer most prominent threat actor

Wednesday, May 22, 2024 — 15:14:51 (EDT)

Manchester, UK, May 22, 2024—

Overall ransomware activity declined in April 2024 · LockBit 3.0 ends eight-month reign as most prominent threat actor with fewer than half the observed attacks in March · Industrials (34%) and Consumer Cyclicals (18%) were once again the first and second-most targeted sectors · Europe experienced 35% fewer attacks than March 2024

Global ransomware attacks decreased by 15% from March 2024, following similar trends to 2023. Attacks dropped from 421 to 356 according to NCC Group’s April Threat Pulse.

However, year-on-year ransomware attacks in April increased by 1%, going from 352 in 2023 to 356 in 2024. The takedown of LockBit 3.0 earlier this year was likely a major contributor to this small increase.

Major threat actor shake-up

The ransomware landscape has proved turbulent this month. Previously dominant Lockbit 3.0 lost pace, with a significant 60% drop in attacks (23), following its takedown in February.

Play took the top spot with 32 attacks (14%), moving up the ranks since the start of 2024 to become a significant player in the threat landscape. Using double extortion tactics, Play ransomware exfiltrated data and then encrypted systems, using the threatened data exposure to pressure victims to pay.

Hunters moved from 8th position with 18 attacks in March, to 2nd most prolific in April as it claimed 29 attacks (12%), an increase of 61%, having taken over infrastructure and source code from the defunct Hive ransomware group.

Ransomhub rounded up the top three with 27 attacks (11%). The group has strict rules for affiliate conduct, in a move expected to encourage increased payment from victims who watch other groups take payment but not have their data decrypted.

Ransomware attacks in Europe down 35%

North America and Europe continued to dominate the total number of regional ransomware attacks with over 80% of cases, continuing the trend for 2024.

North America experienced 15 fewer attacks in April. However, the decline in attacks across continents has led to the proportion of attacks increasing from 53% to 58%. Conversely, attacks in Europe decreased by 7% with 42 (35%) fewer attacks.

We expect a shift in trends in South America and Africa. Whilst these regions were in fourth and seventh place respectively in April, A recent report stated that developing nations have become a “proving ground” to test the viability of new malware packages and attack methodologies. So, Africa and South America may start to receive more attacks over the year.

Industrials continue to dominate sector attacks

Industrials remains the most targeted sector since January 2021, having witnessed 116 attacks (34%) in April 2024, down 13 from the 129.

Despite the overall reduction in observed attacks, Industrials claimed a higher proportion of all attacks in April (33%) than it did in March (31%). This consistently high number of attacks stems from the high number of vulnerabilities in these industries. Sectors such as production and construction are more likely to pay ransomware actors for data or system access to prevent disruption and downtime.

Coming in second, with 62 attacks (18%) was Consumer Cyclicals. This was a reduction of 13 from the 75 attacks witnessed in March, a reduction of just over 17%. This sector was the second most targeted every month (with the exception of May when it came in third place). Threat actors target valuable customer data in sectors such as hospitality and retail to use for future extortion.

Frequent members of the top ten most targeted monthly sectors, Technology, 49 attacks (14%), and Healthcare, 29 attacks (9%), were in third and fourth place respectively.

Spotlight: Vultur Malware – A smart attack on smartphones

Fox-IT, part of NCC Group, has released an in-depth breakdown of some newly found technical features inside Vultur, a nefarious Android banking malware.

It was one of the first Android banking malware families to include screen recording capabilities and contains features such as keylogging and interacting with a victim's device screen. Vultur mainly targets banking apps for keylogging and remote control. ThreatFabric first discovered Vultur in late March 2021.

The authors behind Vultur have now been spotted adding new technical features, which allow the malware operator to further interact with the victim's mobile device remotely. This involves interacting with the victim's screen in a way that is more flexible compared to the use of AlphaVNC and ngrok.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “Despite the successful takedowns of major groups like Lockbit, now is not the time to slow down efforts to protect against cyber threats. The continuous rise of new and equally menacing threat actors, alongside constant development of AI and emerging technologies, poses a unique risk to society that we must collaborate globally to mitigate.”

“The year-on-year rise in ransomware attacks is likely linked to the explosion of AI, revolutionising how threat actors can operate. However, it’s not all doom and gloom. We should be adopting AI to fight against these threats. But we need to act quickly so we don’t end up playing catch up to these threat actors.”

Consult the full blog post for a comprehensive analysis of Vultur, beginning with an overview of its infection chain, followed by a deep dive into its new features, uncovering its obfuscation techniques and evasion methods, and examining its execution flow.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information: bankcardlife.com?orid=33533&opid=1 .

Source: Company press release.