Ransomware, Security Staff Acquisition & Development

Ransomware boom hits all-time high

Ransomware boom hits all-time high

Incidents of reported ransomware attacks hit an all-time high in September with more threat actors joining the criminal fray in a double-extortion blitz against a mix of organizations.

The uptick represents a year-over-year 153% increase in ransomware attacks, according to the NCC Group (PDF). Researchers tracked 514 September attacks, besting July's total of 502. The uptick in reported incidents represent a 76% increase in the number of double-extortion ransomware attacks where adversaries exfiltrate sensitive data, encrypt it on the victim-controlled assets and eventually disclose data publicly on illicit online forums.

New gangs emerge, an old hand goes quiet

The geographical targeting of September’s attacks followed a similar pattern to previous months: North American organizations were the most popular target, attracting 50% of attacks, followed by Europe with 30%, and Asia with 9%.

The most prolific attacker in September was LockBit 3.0 (which carried out 79 attacks), followed by newcomer LostTrust (53 attacks), BlackCat (47), and another newcomer, RansomedVC (44).

Notably missing from September’s list was the Cl0p cybergang, which is believed responsible for a spate of  MOVEit attacks earlier this year.


“Cl0p would typically feature in at least the top 3 threat actors for activity in the month, however, as we alluded to in the August Threat Pulse, Cl0p kept a significantly lower profile with just three victims that month and have now completely vanished from our dataset in September,” NCC Group said.

RansomedVC makes a big early impression

One September newcomer is a crime group dubbed RansomedVC (also known as ransomed[.]vc or Ransomed). The ransomware gang emerged August and is credited for a string of attacks including a recent breaches of Sony Systems, the District of Columbia Board of Elections and claims to have compromised Colonial Pipeline — an allegation the company refutes.

“Ransomed has also added a slight twist to their extortion method by stating that any vulnerabilities found in their targets’ networks would be reported under Europe’s General Data Protection Regulation (GDPR),” NCC’s researchers said.

Click for more special coverage

European organizations face hefty fines for data breaches and can also be required to pay compensation to affected individuals. NCC said RansomedVC’s GDPR threats were an attempt to put additional pressure on its victims to pay its ransom demands.

Two other recently discovered threat groups NCC observed ramping up their ransomware activities in September were Cactus and Trigona.

Cactus was first identified around March and was known to target high-profile commercial entities via exploiting known vulnerabilities in VPN appliances to gain initial access, the researchers said.

Trigona appeared to have been around since at least June 2022 and tended to target compromised Microsoft SQL servers using brute force methods.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.