March witnessed record-breaking levels of ransomware attacks for 2024

RAGroup increases activity by over 300% since its last known attacks in December 2023, entering the top three threat actors for the first time.

  • Friday, 26th April 2024 Posted 7 months ago in by Phil Alsop

Ransomware attacks in March continued to break records for 2024, with global levels of ransomware attacks increasing from February. The total cases rose to 421 from 416 in the previous month (up 1%), according to NCC Group’s March Threat Pulse.

Year-on-year ransomware attacks in March have decreased in targeting by 8%, going from 459 to 421 attacks compared to March 2023 which was largely down to the mass exploitation of the GoAnywhere MFT vulnerability, which ransomware gang CL0P claimed responsibility for before going silent until its major MOVEit exploitation in May.

Despite the Year-on-Year decrease in targeting, the record-breaking 2024 monthly targeting increase indicates that we will likely observe a further activity increase in April as well as the remainder of the year.

New faces appear in the most prominent threat actor list

Continuing their eight-month reign, LockBit 3.0 was responsible for 57 attacks (20%), Play 40 attacks (14%) and RAGroup 33 attacks (11%).

Contrary to LockBit which experienced almost a 50% decline in activity between February and March, Play has experienced a surge in activity: going from 26 attacks in February to 40 in March, an increase of nearly 67%. RAGroup also returned to prominence with a bang after no observable activity in either January or February of 2024. The group broke into the top three for the first time, with an increase of 300% from their last known attacks in December 2023.

Black Basta, Medusa and Cactus were in fourth, fifth, and sixth positions with 32 attacks (11%), 22 attacks (8%), and 20 attacks (7%) respectively.

Play targets ransomware attacks on North America

For the third time in 2024, North America and Europe continued to dominate the total number of regional ransomware attacks with over 82% of cases.

North America witnessed over 50% of attacks, Lockbit claiming 14% (31) of these, down from 55 attacks in February. This is likely due to the law enforcement actions, which potentially impacted their operation. Play delivered the same share of attacks to this region as Lockbit, up from 8% (18) in February.

For the remaining 18% we have Asia with 40 attacks, South America with 16, Oceania with 9, and finally Africa and Undisclosed with just 9 and 4 victims retrospectively. This is mostly consistent with last month with just a 1% difference between some of the regions.

Ransomware groups cause sector shake-up

March’s ransomware targeting by sector saw Industrials with 129 attacks (31%) and Consumer Cyclicals with 75 attacks (19%) remaining in first and second position.

Outside of the top two sectors, there has been a major reshuffle to the sectors’ positioning when compared with February. Healthcare moved from fourth in February to third in March with 45 attacks (11%), while Consumer Non-Cyclicals dropped from third to fifth with 35 attacks (8%).

Next, Technology jumped from sixth position in February to fourth in March, accounting for 41 attacks (10%), which also represents a 41% increase in the sector’s targeting (from 29 attacks). Due to a 64% increase in targeting (from 14 to 23 attacks), the Financials sector moved from eighth in February to sixth this month, accounting for 5% of the attack volume. Simultaneously, a 44% decrease in targeting (from 32 to 18 attacks) resulted in the Basic Materials sector falling from fifth in February to eighth in March.

The remaining three sectors (or Government Activity, Academic & Educational Services and Real Estate) experienced minor changes in positioning and together account for 32 attacks (8%) of the overall monthly output.

Spotlight: Contests and Competitions

The majority of the focus within the ransomware landscape often focuses on the malware groups at play. However, criminal creativity is essential to develop new strategies in order to evade detection and punishment, carry out illicit operations, and exploit loopholes.

Contests, such as XSS’ software development contest, aim to bring together the community and support in developing new malicious malware.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said:

“It’s evident that ransomware attacks aren’t slowing down any time soon. We are seeing what were once less prominent ransomware gangs, like RAGroup, now increasingly getting closer to major players, such as Lockbit. This has not only led to a massive shake-up within the ransomware landscape but also an increasing number of attacks that the public needs to be vigilant about.

“Whilst we’re seeing an increasing amount of law enforcement action taking down these major threat actors, our readers still need to be cautious of these groups making a comeback, just like Lockbit.

“As ever, we’ll continue to monitor these groups and the wider threat landscape, to make sure we’re sharing all the latest information as soon as we can.”

Beacon, NY, Dec 20, 2024– DocuWare unveils its AI-powered Intelligent Document Processing (DocuWare IDP), bringing about unprecedented improvements...
85% of IT decision makers surveyed reported progress in their companies’ 2024 AI strategy, with 47% saying they have already achieved positive ROI.

MSPs will invest in more AI security forecasting

Posted 1 week ago by Phil Alsop
Predictive maintenance and forecasting for security and failures will be a growing area for MSPs with an interest in security, says Nicole Reineke,...

Machine identities next big target for cyberattacks

Posted 1 week ago by Phil Alsop
Venafi has published the findings of its latest research report: The Impact of Machine Identities on the State of Cloud Native Security in 2024....
Nearly 50% of organisations have experienced a security breach in the last two years.

IT professionals recognise lack of gender diversity

Posted 1 week ago by Phil Alsop
The majority (87 percent) of IT professionals agree that there is a lack of gender diversity in the sector, yet less than half (41 percent) of...

A moving landscape for MSPs

Posted 1 week ago by Phil Alsop
2025 predictions from Ranjan Singh, chief product officer at Kaseya.

Data breach epidemic takes its toll

Posted 1 week ago by Phil Alsop
New study by Splunk shows that a significant number of UK CISOs are stressed, tired, and aren’t getting adequate time to relax.