There was a 100% surge in ransomware activity from BlackCat, a cyber threat actor, in December. The group undertook the highest number of attacks in a single month. 

This is according to the latest Threat Pulse research report from NCC Group, which examines ransomware attacks during the last month of the year.

There were 269 ransomware attacks in December, a 2% increase compared to November (at 265 attacks). This increase contradicts the patterns observed in 2021 in which November — December experienced a decrease, attributed to a slowing down during the holiday period. The findings are close to reaching the highest number of ransomware victims since the peaks reached in March and April 2022, illustrating a major growth since the summer and autumn months, with a possible inclining trend on the horizon.

The report revealed data from other threat actors as well. Lockbit 3.0 regained its leading position accounting for 19% of attacks, followed by BianLain (12%) and BlackCat (11%). BianLain saw a 113% increase in ransomware activity December over November. Their programming language of choice is the rare ‘Golang’, and the group encrypts victim devices with alarming efficiency, making them a particularly dangerous variant.

Play — another threat actor first discovered in July 2022 — launched activity displaying a particular interest in the government sector with four victims (15%), rarely seen with ransomware groups due to the law enforcement crackdown that it incites. Additionally, threat actors BianLain are adopting a new approach to publishing on their leak sites — releasing victim names in stages, using asterisks or question marks as a censor. Researchers have seen two threat actors use this technique so far and say it may become a prominent feature of the hack and leak world in 2023.

The full report is available here.