NCC Group Sees Downward Ransomware Trend

March 4, 2022

NCC Group’s Strategic Threat Intelligence team has identified that ransomware attacks decreased by 36.6% in January compared to December 2021, with the number of victims falling from 191 to 121.

While there was an overall increase of 92.7% in 2021, the downward trend in ransomware attacks persisted from the November 2021 period. The team predicted that this decrease is likely consistent with a continued seasonal reduction in ransomware behaviour, a trend that is similar to previous years.

Threat actors

When focusing on key threat actors, Lockbit 2.0 remains a persistent contributor to the ransomware threat landscape. From December 2021 to January 2022, it was the most consistent threat actor with only a 12.8% decrease in hack & leak victims, compared to the 36.6% decrease in overall cases.

Lockbit 2.0’s most targeted sector was industrials, accounting for 31.7% of their victims, with an increased focus on professional and commercial services which made up 19.5% of its total victims.

In contrast, the NCC Group team found that Conti, a usually prevalent threat actor, saw a 65.6% decrease in victims. Despite the decrease in activity in January, the threat group’s most targeted sectors remained consistent with December. The group predominantly attacked consumer cyclicals, accounting for 45% of its victims, followed by industrials, accounting for 27%.


Overall, the industrials sector remained the most targeted sector for ransomware attacks, making up 24.7% of attacks, followed by consumer cyclicals, which made up 22.3%. NCC Group analysis suggests that despite a decline in attacks in the prominent industrials sector, from 39.7% in December, this and consumer cyclicals are still perceived as highly attractive targets.


Both North America and Europe continued to be the most targeted regions. However, in contrast to the usual trend of Europe having less attacks, these two regions suffered an almost equal number of attacks, with 53 and 51 incidents respectively. The two regions accounted for 86% of total ransomware attacks, and the NCC Group team proposed that the change in trend was a result of less attacks occurring overall in January. Globally, the top three targeted countries remain the US, UK and France, with 47, 12, and 11 incidents respectively.

Spotlight on NightSky

The start of 2022 saw a new ransomware variant enter the arena, NightSky, which targets corporate networks for financial gains. The ransomware operator, which NCC Group believes to have been active since December 2021, has adopted the popular practice of double extortion, which involves data encryption followed by threats to the victim of leaking the exfiltrated data, to increase the likelihood of payment.

The group has announced a small number of victims in January already, mainly in Asia (Japan and Bangladesh). In terms of the techniques and practices, Microsoft has issued a warning regarding a China based ransomware operator exploiting the Log4Shell vulnerability to gain access on VMware Horizon systems. Following that, the group deploys the NightSky ransomware to encrypt the victim’s files and proceed with its extortion practices.

These effective and well tested methods of attack suggest that NightSky is yet another threat actor that organisations need to defend against, and NCC Group will continue to monitor it in the coming months.

Matt Hull, cyber threat intelligence manager at NCC Group, said: “It is always a positive to see that ransomware attacks are continuing to decrease. However, organisations must remain vigilant. Highly targeted sectors should ensure that they have adequate ransomware mitigations in place.

“Similarly, the partial dip in activity from groups such as Conti should not be inferred as a decreased threat, as it is likely that its activity will increase in proportion with its peers in the coming months.

“It’s interesting to see the regional differences in January compared to December, with almost the same number of attacks in North America and Europe. By analysing the most prominent sectors in each region we can better understand which sectors are likely to be targeted in coming months and narrow our focus of preventive measures.”

While this report focuses on January activity, NCC Group’s Strategic Threat Intelligence team is monitoring the developing situation in Russia and Ukraine and will provide any updates from a cyber-attack perspective to our customers to help inform risk management decisions.

Terms of Use | Copyright © 2002 - 2022 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement