NCC Group Sees Downward Ransomware
March 4, 2022
Group’s Strategic Threat Intelligence team has identified that
ransomware attacks decreased by 36.6% in January compared to December
2021, with the number of victims falling from 191 to 121.
While there was an overall increase of 92.7% in 2021, the downward trend
in ransomware attacks persisted from the November 2021 period. The team
predicted that this decrease is likely consistent with a continued
seasonal reduction in ransomware behaviour, a trend that is similar to
When focusing on key threat actors, Lockbit 2.0 remains a persistent
contributor to the ransomware threat landscape. From December 2021 to
January 2022, it was the most consistent threat actor with only a 12.8%
decrease in hack & leak victims, compared to the 36.6% decrease in
Lockbit 2.0’s most targeted sector was industrials, accounting for 31.7%
of their victims, with an increased focus on professional and commercial
services which made up 19.5% of its total victims.
In contrast, the NCC Group team found that Conti, a usually prevalent
threat actor, saw a 65.6% decrease in victims. Despite the decrease in
activity in January, the threat group’s most targeted sectors remained
consistent with December. The group predominantly attacked consumer
cyclicals, accounting for 45% of its victims, followed by industrials,
accounting for 27%.
Overall, the industrials sector remained the most targeted sector for
ransomware attacks, making up 24.7% of attacks, followed by consumer
cyclicals, which made up 22.3%. NCC Group analysis suggests that despite
a decline in attacks in the prominent industrials sector, from 39.7% in
December, this and consumer cyclicals are still perceived as highly
Both North America and Europe continued to be the most targeted regions.
However, in contrast to the usual trend of Europe having less attacks,
these two regions suffered an almost equal number of attacks, with 53
and 51 incidents respectively. The two regions accounted for 86% of
total ransomware attacks, and the NCC Group team proposed that the
change in trend was a result of less attacks occurring overall in
January. Globally, the top three targeted countries remain the US, UK
and France, with 47, 12, and 11 incidents respectively.
Spotlight on NightSky
The start of 2022 saw a new ransomware variant enter the arena, NightSky,
which targets corporate networks for financial gains. The ransomware
operator, which NCC Group believes to have been active since December
2021, has adopted the popular practice of double extortion, which
involves data encryption followed by threats to the victim of leaking
the exfiltrated data, to increase the likelihood of payment.
The group has announced a small number of victims in January already,
mainly in Asia (Japan and Bangladesh). In terms of the techniques and
practices, Microsoft has issued a warning regarding a China based
ransomware operator exploiting the Log4Shell vulnerability to gain
access on VMware Horizon systems. Following that, the group deploys the
NightSky ransomware to encrypt the victim’s files and proceed with its
These effective and well tested methods of attack suggest that NightSky
is yet another threat actor that organisations need to defend against,
and NCC Group will continue to monitor it in the coming months.
Hull, cyber threat intelligence manager at NCC Group, said: “It is
always a positive to see that ransomware attacks are continuing to
decrease. However, organisations must remain vigilant. Highly targeted
sectors should ensure that they have adequate ransomware mitigations in
“Similarly, the partial dip in activity from groups such as Conti should
not be inferred as a decreased threat, as it is likely that its activity
will increase in proportion with its peers in the coming months.
“It’s interesting to see the regional differences in January compared to
December, with almost the same number of attacks in North America and
Europe. By analysing the most prominent sectors in each region we can
better understand which sectors are likely to be targeted in coming
months and narrow our focus of preventive measures.”
While this report focuses on January activity, NCC Group’s Strategic
Threat Intelligence team is monitoring the developing situation in
Russia and Ukraine and will provide any updates from a cyber-attack
perspective to our customers to help inform risk management decisions.