According to NCC Group’s threat intelligence team, the number of ransomware attack victims decreased in May representing the first decline in ransomware hack and leak cases since December 2021 – January 2022. In total, it observed 236 attacks in the month, an 18% decrease on the 289 attacks observed in April. A drop off in activity may be a result of Russia-based Conti’s step back from the ransomware scene, as well as its collaboration with smaller groups including Black Basta and Hive.

The most targeted sectors in May were industrials, making up some 31% of ransomware attacks, followed by consumer cyclicals (22%) and technology (12%).

NCC Group’s threat intelligence team states that it is likely that industrials will remain the most targeted sector. The diverse number of organisations operating within it makes it an attractive target for ransomware gangs, who seek to compromise company supply chains.

Lockbit 2.0 remained the dominant threat actor, accounting for 40% of attacks in May. Long the top threat actor, it gained even more prominence in May, with the gap between the number of attacks committed by Lockbit and attacks committed by the second top threat actor Conti widening. Of the other most prominent groups, Black Basta and Hive were both responsible for 17 attacks (7%). Black Basta first emerged in April, and in May NCC Group uncovered the group’s use of Qbot malware to infect systems and gain access to Windows domain credentials.

Conti is rumoured to have shut down after a series of internal politics matters in April and May. Security researchers suspect Black Basta and Hive to be working alongside Conti or functioning as a possible replacement for them, which would explain their position as top threat actors in May.