Ransomware attacks decreased in volume by 37% in December 2021, with the total number of known victims falling from 318 to 200, according to the latest monthly data gleaned from NCC Group’s Strategic Threat Intelligence Team.
However, this should not be taken as a sign that the threat of ransomware attacks is passing, with the fall likely a seasonal one and attributable to various ransomware gangs taking a break after a hectic few months and winding down before the holidays.
“It is undoubtedly a positive to see a decrease in threat actor activity – however, organisations should not take this as a sign that they should be complacent,” said NCC cyber threat intelligence manager Matt Hull.
“Cyber criminals, like many of us, tend to reduce activity in seasonal times of year, and trends suggest that attack levels are likely to rise again in the coming months.”
Among those taking a breather were Pysa, which, after a highly active November that saw it hit 60 targets, claimed just one victim in December. Pysa typically targets large or high-value finance, government and healthcare organisations – among its previous UK victims is Hackney Council in London.
NCC said it was likely Pysa was focusing on negotiations and collections in December, and expects the January figures may show a resurgence. Such patterns have been observed before with the likes of Conti, which along with LockBit was one of the more active crews last month, hitting 32 and 47 targets respectively.
Significantly, December saw the emergence of an apparently new and highly advanced ransomware op called ALPHV or BlackCat, notable for being the first ever ransomware coded in the Rust language, which enables attacks to be better customised. Additionally, ALPHV/BlackCat uses an access key as a token in a ‘GET parameter’ during its attacks – this means only affiliated parties can access the negotiation chat logs as the key cannot be distributed, which could be an obfuscation measure, or a means to discourage victims from contacting law enforcement or media.
It also uses an affiliate scheme with a percentage fee as a cut, depending on how much ransom is demanded, and runs triple extortion attacks, where besides data encryption and leakage, DDoS attacks are also deployed against victims.
“The emergence of ALPHV demonstrates that the vacuum created by the close of ransomware groups such as REvil and BlackMatter will be filled until further developments indicate otherwise,” said Hull.
“Organisations need to take action now to ensure they have robust incident response plans in to become resilient to future attacks – especially those in targeted sectors such as industrials and consumer cyclicals.”
More stats from NCCs latest report reveal North America and Europe remain the most heavily targeted regions for ransomware attacks, with 81 and 70 victims respectively. Within Europe, organisations in the UK, France and Italy were the most victimised.
Industrial organisations continued to be the most affected sector, accounting for 40% of victims, followed by consumer cyclicals (a catch-all term that includes sectors such as automotive, property, entertainment, and retail) which accounted for 27% of observed attacks in December.