LockBit dethroned as leading ransomware gang for first time post-takedown
Rivals ready to swoop in but drop in overall attacks illustrates LockBit’s influence
The takedown of LockBit in February is starting to bear fruit for rival gangs with Play overtaking it after an eight-month period of LockBit topping the attack charts.
For the first time since the National Crime Agency-led takedown of LockBit, the gang didn't register the most number of attacks across a single month, suggesting that law enforcement's claims of a successful disruption were valid.
When the person cops believe to be LockBit's leader, Dmitry Khoroshev, was unmasked two weeks ago, the NCA also updated the world on LockBit's operation, saying it was "running at limited capacity" and the threat the gang presents to the world was "significantly reduced."
The findings from NCC Group, published today, also take into account the understanding that LockBit had been reposting organizations it had attacked before the NCA's disruption operation to maintain appearances.
For example, the day before their lead suspect was unmasked, LockBit's leak blog posted 43 supposedly new victims, many of which ransomware watchers had seen posted before. A Canadian university, a US healthcare business, and a UK software business were all previously claimed in December 2023.
The NCC Group however, insists only one duplicated attack was included in the specific dataset that informed its research.
Its findings show that in April, LockBit only posted 23 organizations (including one duplicate) – a 60 percent drop compared to its pre-bust numbers (with the duplicated attacks accounted for). Play, Hunters, and Ransomhub took the top three spots respectively.
Global ransomware activity was down 15 percent month-on-month but rose one percent year-on-year – a finding NCC Group believes is due to both the takedown of LockBit in February and the increasing adoption of AI by cybercriminals.
"Despite the successful takedowns of major groups like LockBit, now is not the time to slow down efforts to protect against cyber threats," said Matt Hull, global head of threat intelligence at NCC Group.
"The continuous rise of new and equally menacing threat actors, alongside constant development of AI and emerging technologies, poses a unique risk to society that we must collaborate globally to mitigate."
"The year-on-year rise in ransomware attacks is likely linked to the explosion of AI, revolutionizing how threat actors can operate. However, it's not all doom and gloom. We should be adopting AI to fight against these threats. But we need to act quickly so we don't end up playing catch up to these threat actors."
Regional shifts
North America and Europe were unsurprisingly again the two most targeted continents by ransomware. It's very often the case given that most ransomware miscreants reside in countries that are adversaries to the leading economies in the West.
- First LockBit, now BreachForums: Are cops winning the war or just a few battles?
- With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'
- First LockBit, now BreachForums: Are cops winning the war or just a few battles?
- LockBit identity reveal a bigger letdown than Game of Thrones Season 8
As such, 80 percent of all ransomware attacks targeted organizations across the two continents, but none more so than North America, which withstood 58 percent of the global total. Europe was targeted the second most with 35 percent of the global total, a seven percent decrease month-on-month.
That said, the researchers cited findings from an April report by security firm Performanta which claimed developing nations in Africa and South America may become a "proving ground" for experimental new malware. The workshopping of attack scenarios against organizations in Africa is likely to be perceived as having fewer risks attached to it, the report concluded.
NCC Group said we may therefore see a growing proportion of attacks in developing nations in future. ®