The LockBit ransomware group has claimed a significant increase in attack volume in May 2024, which would once again make it the most active ransomware gang, a new report from NCC Group shows.
The LockBit ransomware operation was disrupted in February, when law enforcement agencies in North America, Europe, and Asia seized 34 servers, took over the gang’s Tor-based leak site, froze its cryptocurrency wallets, and collected technical information on the group’s infrastructure.
The US government has since announced a $10 million reward for information on LockBit leaders, charges against individuals associated with the gang, including alleged LockBit mastermind Dimitry Yuryevich Khoroshev, and the extraction of over 7,000 LockBit encryption keys.
In late February, the LockBit operators launched a new leak site, claiming they were able to restore some of the disrupted infrastructure, and continued targeting organizations worldwide, but at a much slower pace compared to pre-disruption levels.
In May, however, amid an overall increase in ransomware attacks globally (32% up month-on-month and 8% up year-on-year), LockBit apparently once again became the most prominent ransomware group, accounting for 176 attacks, or roughly 37% of all ransomware incidents, NCC Group reports. This represents a 665% increase in attack volume.
In comparison, the Play gang was the second most active ransomware group with 32 attacks and RansomHub claimed the third position with 22 attacks.
“It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organization,” NCC Group threat intelligence head Matt Hull said.
According to NCC Group, while threat actors continued to focus on entities in North America and Europe, the number of attacks against organizations in South America and Africa increased significantly in May, likely because these regions are used to test new malware and attack methods.
Last month, the industrial sector was targeted the most, witnessing 143 attacks, and the technology sector came second, receiving 72 ransomware attacks.
Related: Interpol and FBI Break Up a Cyber Scheme in Moldova to Get Asylum for Wanted Criminals
Related: LockBit Takes Credit for City of Wichita Ransomware Attack
Related: Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
