Latest News

Ransomware attacks increase by 47% as Lockbit 3.0 further establishes itself, says NCC Group

  • Ransomware attacks increased by 47% compared to June
  • Industrials (32%), Consumer Cyclicals (17%), and Technology (14%) remain most targeted sectors
  • Lockbit 3.0 (52 victims) most active attacker, followed by Hiveleaks (27 victims) and BlackBasta (24 victims)
  • Lazarus Group increases operations following number of financial cyber crimes

The ransomware threat scene continues to evolve following the disbanding of Conti, as ransomware attacks rose from 135 in June to 198 in July, representing a 47% increase, as reported by NCC Group’s Global Threat Intelligence team.

The escalation in ransomware attacks comes amidst the rise of several new threat actors, with newcomer Lockbit 3.0 taking the top spot followed closely by Conti-associated threat actors Hiveleaks and BlackBasta, that are settling into a new way of operating.

Meanwhile, Lazarus Group returns to prominence, following several multi-million-dollar cryptocurrency-focused attacks earlier this year.


Sector trends remained consistent in July, with Industrials remaining the most targeted sector, as it made up a third (32%) of ransomware attacks, followed by Consumer Cyclicals (17%), and Technology (14%).


From a regional perspective, North America claimed the spot for most targeted region (42%), overtaking Europe (40%) for the first time in 2 months. The last time we saw North America as a top target was back in May.

Threat Actors

As we moved into July, the phasing out of Lockbit 2.0 and transition to new variant Lockbit 3.0 looked to complete, as Lockbit 3.0 moved into pole position as the top ransomware variant this month with 52 incidents.

Meanwhile, the rise in prominence from Hiveleaks (27 victims), and BlackBasta (24 victims) may represent a possible regrouping of former Conti members as new, smaller factions.

Meanwhile, North Korea-backed APT Group Lazarus, have continued to make ripples in the cyber threat landscape following their $100 million crypto heist on Harmony’s Horizon Bridge in late June.

Spotlight on Lazarus Group

This month, Lazarus Group claims the spotlight following a number of financial cybercrimes to aid the North Korean state earlier this year, including cryptocurrency thefts and suspected ransomware adoption. These include the $600 Million Cryptocurrency Heist on Axie Infinity, and the $100 Million Crypto Heist on Harmony’s Horizon Bridge.

The increase in operations from this group may be to do with the North Korean economy shrinking once again, possibly forcing the country to lean more heavily on illegal methods of revenue. Pairing this with its already struggling economy, it is possible to see why they would turn to offensive cyber operations as a source of income.

As a result of this activity, the US has responded by offering $10 Million to any individual who can provide valuable intelligence on any of the operators within Lazarus Group; as North-Korea evidently see the advantages of using crypto-theft and possible ransomware operations in a pursuit on financial security.

Matt Hull, Global Head of Threat Intelligence at NCC group, said: “This month’s Threat Pulse has revealed some major changes within the ransomware threat scene compared to June, as ransomware attacks are once again on the up. Since Conti disbanded, we have seen two new threat actors associated with the group, Hiveleaks and BlackBasta, take top position behind LockBit 3.0. It is likely we will only see the number of ransomware attacks from these two groups continue to increase over the next couple of months”.

“Following two major cryptocurrency heists, Lazarus Group seem to be improving their crypto-theft and ransomware operations, so it is more important than ever to monitor their activity closely. Cryptocurrency organisations in the US, Japan and South Korea should remain on high alert.”