The NCC Group witnessed a 5% decrease in ransomware attacks in 2022. The 2022 Annual Threat Monitor Report found that although there were slightly less attacks than 2021, there was a surge in ransomware attacks between February and April, coinciding with the start of the Russia-Ukraine conflict when threat actor LockBit ramped up activity.

The report details the events of 2022 and their impact on the cyber threat landscape, providing an overview of incidents across all sectors and highlighting global trends.

Threat actor turbulence

  • LockBit claimed the ‘top spot’ for most active threat actor in 2022, responsible for 33% of all monitored ransomware attacks (846), a 94% increase on its 2021 activity (436 attacks). The group’s activity peaked in April with 103 attacks, ahead of the launch of a new ransomware software and rebrand to LockBit 3.0.
  • BlackCat accounted for 8% of the total attacks in 2022. With a quiet start in December 2021 (4 attacks), the group went on to average 18 attacks each month, with a peak of 30 incidents in December 2022.
  • Leading threat actor of 2021 Conti reduced attack levels to 7% of all recorded (21% in 2021), with no attacks monitored from June onwards. This reduction in activity coincided with the introduction of new group BlackBasta, believed to be associated with — or a replacement for — Conti. 


  • North America and Europe suffered the most ransomware attacks in 2022. North America bore the brunt, with 44% of all incidents (1,106), a 24% decrease on 2021’s figures (1,447).
  • Europe observed 35% of all incidents, with an 11% increase in attack numbers, witnessing 896 in 2022 as compared to 810 in 2021. It was potentially influenced by surges in activity associated with the Russia-Ukraine conflict in the first half of the year.

The full report is available here.