NCC : Monthly Threat Pulse – December 2021

• 37% decrease in ransomware victim numbers compared to November
• North America and Europe continued to be the most targeted regions in December, with 81 and 70 victims respectively.
• Industrials most targeted sector by 40% margin
• Closing stages of 2021 saw a new ransomware operation emerge called 'ALPHV', or 'BlackCat'

NCC Group's Strategic Threat Intelligence team has identified a considerable decrease in ransomware attacks in December 2021, with the total number of victims falling from 318 to 200. This is a trend that NCC Group has seen in previous years, and it is likely that there is a seasonal component in the 37% decrease in victim numbers.

Of the decreased overall activity, Lockbit and Conti continue to be the two most prevalent threat actors in the ransomware space, with 47 and 32 attacks respectively in December.

Following PYSA's explosive increase in activity in November, when the malware group conducted 60 attacks, its activity has dramatically declined in December to just one attack. The threat actor, which typically targets large or high-value finance, government and healthcare organisations, is a malware capable of exfiltrating data and encrypting users' critical files and data.

The PYSA activity decline is reminiscent of the decrease in activity of the threat actor Conti in September, after its extremely busy August. Therefore, this trend may indicate that PYSA has been focusing on victim communications and ransom collections in December as opposed to compromising new systems. NCC Group projects that PYSA will return to its usual frequency of operations in January, as Conti did in October. It's also expected that ransomware activity will increase in early 2022 following exploitation of the Log4j vulnerability, discovered in December.

Both North America and Europe continued to be the most targeted regions in December, with 81 and 70 victims respectively. In Europe, the top three targeted countries were the UK, France and Italy with 25, 13, and 9 attacks respectively.

The industrials sector continues to be the most impacted sector by a considerable margin of 40%. Meanwhile, the other main industry impacted was consumer cyclicals - including automotive, housing, entertainment, and retail - which accounted for 27% of the attacks in December.

Spotlight on ALPHV/BlackCat

At the closing stages of 2021, a new ransomware operation emerged called 'ALPHV', or 'BlackCat', which is a strong candidate for the most advanced ransomware NCC Group has ever identified.

The group uses features such as its 'Rust' programming language, which allows attacks to be customised, and using an affiliate scheme with the percentage fee as a cut depending on the level of the ransom demanded. The group is using a triple extortion approach which involves encryption, data publication and DDoS. It also uses an access key as a token in a 'GET parameter' in attacks, which means that only the affiliated parties can access the negotiation chats as the key cannot be distributed.

These sophisticated features are just a few examples of why ALPHV/BlackCat is another dangerous addition to the ransomware landscape.

As we continue to monitor its movements closely it is clear that ALPHV/BlackCat is a group to be cautious of in 2022.

Keep up to date with our latest insights
Join our next Threat Monitor Webinar to get exclusive insights into the emerging advances in threat landscape. Sign up here.