Infamous hacking group LockBit 3.0 was once again the most active threat actor amid a surprising drop in ransomware attacks in August, according to a new report released today by NCC Group plc.

The NCC Group Monthly Threat Pulse for August 2023 details 390 ransomware attacks in the month, a figure that is down 22% from July. The drop came after back-to-back record months in June and July that were largely a result of the Clop ransomware gang’s ongoing exploitation of vulnerabilities in the MOVEit file transfer software.

LockBit 3.0 led the pack, being found responsible for 125 ransomware attacks, 32% of the total number of attacks in August, with the number of LockBit attacks up 150% from July. The ALPHV/BlackCat ransomware gang sat in second place with 41 attacks (11%), followed by 8base with 32 (8%).

The report notes that the standout in August was the steep fall in activity from Clop as the MOVEit exploitation largely subsided through the month, although that may have been a temporary drop given that Clop was linked to a breach involving 890 universities yesterday. During August, NCC Group only tracked three Clop MOVEit attacks, 1% of the total attacks in the month and down 98% from the 161 Clop attacks in July.

The Akira ransomware group, which first emerged in April, climbed to fourth place in August after ranking in eighth place in July. Akira is noted as having a particular focus on the industrial and education sectors.

The industrial sector was the most targeted sector in August, accounting for 31% of all attacks. Within the sector, professional and commercial services led the list, followed by machinery, tools, heavy vehicles, trains and ships, with construction and engineering placing third.

North America remains the most popular target for ransomware attacks, with 47% targeted at the continent, down 7% from July. Europe was in second place with 108 victims, or 28% of all total attacks.

Attack on targets in Asia, which sat in third place with 15% of all attacks in August — the highest level since February — were attributed to alleged Chinese groups targeting Taiwanese organizations. The report notes that these attacks highlight ongoing political tensions, posing particular risks to education, manufacturing and critical infrastructure.

“After two record months for ransomware attacks, the fall in attacks in August was to be expected,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement. “The number of victims in June and July was somewhat inflated by the huge success that Cl0p had exploiting the vulnerability in the MOVEit platform. This being said, the number of recorded victims in August was still significantly higher than this time last year.”

Image: Bing Image Creator