According to NCC Group’s December cyber threat pulse, there was a 37% decrease in ransomware victim numbers compared to November 2021, with the total number of victims falling from 318 to 200. This is a trend that NCC Group has seen in previous years, and it is likely that there is a seasonal component in the 37% decrease in victim numbers.

Of the decreased overall activity, Lockbit and Conti continue to be the two most prevalent threat actors in the ransomware space, with 47 and 32 attacks respectively in December.

Following PYSA’s explosive increase in activity in November, when the malware group conducted 60 attacks, its activity has dramatically declined in December to just one attack. The threat actor, which typically targets large or high-value finance, government and healthcare organizations, is a malware capable of exfiltrating data and encrypting users’ critical files and data.

The PYSA activity decline is reminiscent of the decrease in activity of the threat actor Conti in September, after its extremely busy August. Therefore, this trend may indicate that PYSA has been focusing on victim communications and ransom collections in December as opposed to compromising new systems. NCC Group projects that PYSA will return to its usual frequency of operations in January, as Conti did in October. It’s also expected that ransomware activity will increase in early 2022 following exploitation of the Log4j vulnerability, discovered in December.

Both North America and Europe continued to be the most targeted regions in December, with 81 and 70 victims respectively. In Europe, the top three targeted countries were the UK, France and Italy with 25, 13, and 9 attacks respectively.

The industrials sector continues to be the most impacted sector by a considerable margin of 40%. Meanwhile, the other main industry impacted was consumer cyclicals – including automotive, housing, entertainment, and retail – which accounted for 27% of the attacks in December.

At the closing stages of 2021, a new ransomware operation emerged called ‘ALPHV’, or ‘BlackCat’, which is a strong candidate for the most advanced ransomware NCC Group has ever identified.

The group uses features such as its ‘Rust’ programming language, which allows attacks to be customized, and using an affiliate scheme with the percentage fee as a cut depending on the level of the ransom demanded. The group is using a triple extortion approach which involves encryption, data publication and DDoS. It also uses an access key as a token in a ‘GET parameter’ in attacks, which means that only the affiliated parties can access the negotiation chats as the key cannot be distributed.