The number of ransomware attack victims decreased in May, according to NCC Group’s strategic threat intelligence team. In total, it observed 236 attacks in the month, an 18% decrease from the 289 attacks observed in April.


A decrease in activity may be a result of Russia-based Conti’s step back from the ransomware scene and its collaboration with smaller groups, including Black Basta and Hive. 


The most targeted sector in May was the industrial sector, making up some 31% of ransomware attacks, followed by consumer cyclicals (22%) and technology (12%). 


NCC Group’s threat intelligence team states that it is likely that the industrial sector will remain the most targeted. The diverse number of organizations operating within it makes it an attractive target for ransomware gangs, who seek to compromise company supply chains.


Lockbit 2.0 remained the dominant threat actor, accounting for 40% of attacks in May. Long the top threat actor, it gained even more prominence in May, with the gap between the number of attacks committed by Lockbit and attacks committed by the second top threat actor Conti widening. Of the other most prominent groups, Black Basta and Hive were both responsible for 17 attacks (7%). 


Spotlight on Conti

Conti is rumored to have shut down after several internal political matters in April and May. On 19 May, Conti News, the ransomware group’s official website, shut down, followed by resets of other major infrastructure channels such as chat rooms, messengers, servers and proxy hosts.


This may be the end of Conti’s current brand, opening a new chapter for the threat landscape. However, it is anticipated that it will use existing sub-groups operating under different names such as KaraKurt, Black Byte and Black Basta.

“Conti’s possible shutdown represents a significant change for the ransomware threat landscape and it cannot go ignored,” Matt Hull, global lead for strategic threat intelligence at NCC Group, says. Security researchers suspect Black Basta and Hive to be working alongside Conti or functioning as a possible replacement for them, which would explain their position as top threat actors in May.


“With similar sectors being targeted month on month now, it is vital that organizations at greatest risk,” — particularly those working within the industrial sector — “are well equipped to defend against ransomware attacks. But as ever, this is not only an issue for one sector. What we need is a cross-industry cybersecurity response to account for uncertainty and ensure protection across the board.”


Hull recommends that businesses familiarize themselves with tactics, techniques, and procedures associated with these threat groups to better understand how to protect against attack and the most appropriate security measures to implement.