BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?



LockBit Ransomware Again Most Active – Real Attack Surge or Smokescreen?

LockBit appears to once again be the most active ransomware group, but experts believe the hackers may just be inflating their numbers. 


The LockBit ransomware group has claimed a significant increase in attack volume in May 2024, which would once again make it the most active ransomware gang, a new report from NCC Group shows.

The LockBit ransomware operation was disrupted in February, when law enforcement agencies in North America, Europe, and Asia seized 34 servers, took over the gang’s Tor-based leak site, froze its cryptocurrency wallets, and collected technical information on the group’s infrastructure.

The US government has since announced a $10 million reward for information on LockBit leaders, charges against individuals associated with the gang, including alleged LockBit mastermind Dimitry Yuryevich Khoroshev, and the extraction of over 7,000 LockBit encryption keys.

In late February, the LockBit operators launched a new leak site, claiming they were able to restore some of the disrupted infrastructure, and continued targeting organizations worldwide, but at a much slower pace compared to pre-disruption levels.

In May, however, amid an overall increase in ransomware attacks globally (32% up month-on-month and 8% up year-on-year), LockBit apparently once again became the most prominent ransomware group, accounting for 176 attacks, or roughly 37% of all ransomware incidents, NCC Group reports. This represents a 665% increase in attack volume.

In comparison, the Play gang was the second most active ransomware group with 32 attacks and RansomHub claimed the third position with 22 attacks.

“It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist. Alternatively, the group might be inflating their numbers to conceal the true state of their organization,” NCC Group threat intelligence head Matt Hull said.

According to NCC Group, while threat actors continued to focus on entities in North America and Europe, the number of attacks against organizations in South America and Africa increased significantly in May, likely because these regions are used to test new malware and attack methods.

Advertisement. Scroll to continue reading.

Last month, the industrial sector was targeted the most, witnessing 143 attacks, and the technology sector came second, receiving 72 ransomware attacks.

Related: Interpol and FBI Break Up a Cyber Scheme in Moldova to Get Asylum for Wanted Criminals

Related: LockBit Takes Credit for City of Wichita Ransomware Attack

Related: Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights