A new report released today by NCC Group plc has found that ransomware attacks hit a record high in May, driven by a massive resurgence in LockBit ransomware attacks.

The NCC Group 2024 Threat Intel report found that global ransomware attacks rose by 32% month-over-month in May, to 470 recorded ransomware attacks, up from 356 in April. Compared with May of last year, ransomware attacks rose 8%.

The surge in ransomware attacks was attributed to LockBit 3.0, the current incarnation of the infamous Lockbit ransomware gang. Briefly dormant after another so-called takedown by international law enforcement in February before returning a week later, LockBit surged to the top of the ransomware leaderboard in May, accounting for 37% of all ransomware attacks during the month. The number of LockBit ransomware attacks rocketed 665% from April to 176 in May.

LockBit surged to the top of the ransomware leaderboard, with the Play ransomware group dropping to second position with 32 attacks — 7% of all attacks in the month. RansomHub came in at third position with 22 attacks, or 5% of all attacks in May.

Newcomers to the top 10 threat actors in May included Arcus Media, Underground and dAn0n. DAn0n, which was first spotted in April and uses a double-tap extortion method, was attributed to 13 ransomware attacks in May. Underground, which also uses double-tap extortion, was recorded to have undertaken 12 ransomware attacks during the month.

During May, 77% of ransomware attacks targeted companies in North America and Europe. The report notes that an unusual increase in ransomware attacks focused on South America, with the continent accounting for 8% of attacks in May, up 60% from April. Africa’s share of ransomware attacks also increased to 8% of all attacks in the month, up from 3% in April.

By sector, industrial companies remain the most targeted, a position they have held since January 2021. In May, 143 ransomware attacks targeted the industrial sector, up from 116 in April. In second place was the technology sector, with 72 attacks in May, up from 49 the previous month. The consumer cyclical sector came in third place with 59 attacks, down from 62 the prior month.

“Following the takedown of LockBit 3.0 earlier this year, speculation has swirled around whether the group would simply dissolve, as we’ve seen with other threat groups like Hive,” said Matt Hull, global head of Threat Intelligence at NCC Group. “However, the current surge in victim numbers suggests a different story. It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist. The coming months will reveal whether LockBit can sustain the attack figures recorded in May.”

Image: SiliconANGLE/Microsoft Designer