An analysis of ransomware attacks claimed to have been perpetrated by cybercriminal syndicates that was published today by NCC Group, a provider of managed security services, finds LockBit 3.0 has reemerged to claim the top spot amongst the most prominent threat actors.

Previously dormant following the groups’ takedown by law enforcement officials earlier this year, the group was responsible for 37% of all attacks in May, a 665% increase month-on-month (176).

The ransomware group known as Play was knocked to second position with 32 attacks (7%), while RansomHub maintained third position with 22 attacks (5%), a decrease of 19% month on month.

Overall, the number of reported ransomware attacks increased to 470 in May, a 32% month-on-month increase. However, reported ransomware attacks only increased 8% year-on-year.

Matt Hull, global head of threat intelligence for NCC Group, said the report suggests that Lockbit 3.0 has been able to recover quickly, most likely by relying on IT infrastructure that it has kept ready in the event law enforcement officials were able to disrupt its activities. Much like any business, the cybercriminal gangs running Lockbit 3.0 have contingency plans, he noted.

However, given the disruption of its services earlier this year, many of the claims may have occurred earlier than May, noted Hull. In effect, Lockbit 3.0 may simply be catching up with accounting, he noted.

Lockbit 3.0 also now has rivals that may have gained ground as a result of the intervention of law enforcement. Newcomers in the top 10 threat actors identified in the report include Arcus Media, Underground and DAn0N. In 8th position with 13 attacks (3%), Dan0N was initially spotted in April. Ranked 9th is Underground with 12 attacks (3%), while Arcus Media came in 10th place with 11 attacks.

Overall, more than three quarters (77%) of the reported ransomware attacks targeted organizations in North America and Europe with 77% of cases, continuing the trend for 2024. Despite overall attack numbers against victims in North America increasing by 11% since April, the proportion of total global attacks witnessed by the region decreased from 58% to 49%, while attacks in Europe increased by 65%.

The report also finds there has also been a significant increase in attacks in South America. Proportional attacks have increased from 5% to 8% month-on-month, an increase of 60%. Meanwhile, Africa’s share of global attacks increased from 3% in April to 8% in May, an increase of 167%.

Industrial companies remain the most targeted sector, having seen 143 attacks (30%) in May 2024, up from 116 in April. Despite increasing at a lower rate than the global total, 32% higher in May than April, its proportional share only dropped from 31% to 30%.

The technology sector, however, saw a significant increase in attacks, rising from 49 to 72 (47%) month-on-month, while the consumer cyclicals sector experienced a slight decrease in attacks, dropping from 62 in April to 59 in May.

Regardless of how many cybercriminal syndicates there are, Lockbit 3.0 remains popular with its affiliates because as a platform it provides a set of services that in addition to being easier to use are readily accessible, noted Hull. Many of the rival syndicates are more selective when it comes to allowing affiliates to use their platform to launch ransomware attacks, he noted.

The challenge is not to be discouraged by the reemergence of Lockbit 3.0 as much as it is to find ways to extend the success of previous efforts to disrupt these networks, he added.

In the meantime, organizations should assume that ransomware platforms will come and go, but the number of affiliates willing to use these platforms to launch ransomware attacks is only likely to continue to increase.