Recent ransomware attacks were analyzed in a report by NCC Group. The volume of ransomware attacks remained at record highs with 352 attacks in April, the second-highest month on record, according to the report. April’s high level of activity, largely attributed to the top three threat actors, is only surpassed by March’s figures of 459 attacks, which was the result of Cl0p’s exploitation of the GoAnywhere MFT.

In April, the top three most-active threat actors Lockbit 3.0, BlackCat and BianLian were responsible for 58% of overall ransomware activity monitored in April. Lockbit 3.0, the most active threat group of 2023, launched 107 out of the 352 attacks monitored, a 10% increase from March. BlackCat (50) and BianLian (46) increased their activity by 67% and 59% respectively. BlackCat’s attack on digital storage device giant Western Digital garnered significant attention, with the group claiming to have stolen 10 terabytes of data and demanding an 8-figure ransom.

Akira, a new ransomware player, made it into the top ten most active groups for the first time, targeting enterprises across a diverse range of industries, from construction through to real estate. Meanwhile, ransomware-as-a-Service (RaaS) provider Cl0p reduced their activity by 98%, from 129 victims in March, to 3 in April. This is likely the result of patches being applied for the GoAnywhere MFT day-zero vulnerability, exploited by the group and contributing to the high number of victims in March.

North America was the target of half of April’s ransomware activity with 172 attacks (50%). Europe followed with 85 attacks (24%) then Asia with 34 attacks (10%). In April, industrials (32%) was the most targeted sector with 113 attacks, followed by consumer cyclicals (11%) with 39 attacks and technology (11%) with 37 attacks.