Global ransomware attacks rose slightly in March compared to the previous month, as ransomware cabal RAGroup ramped up activity by more than 300%. However, overall activity declined 8% year-over-year, according to NCC Group’s latest ransomware report.

The cyber gang LockBit 3.0 kept its pole position as the most active cybercriminal force for eight months in a row. It was responsible for 20% of the total attacks in March.

The LockBit group was followed by the malicious threat group Play, with the report noting a 67% surge in Play activity between March and February. The threat groups Black Basta and Medusa rounded out the top five in March, chalking up 32 attacks and 22 attacks.

Threat actors focused on attacking technology organizations, which experienced a 41% uptick in attacks in the same period. Attacks against financial services firms rose 64%; healthcare was the third most targeted industry.

North America was the most targeted region in March, accounting for more than half (53%) of all attacks, followed by Europe with 29% and Asia with 9%.

Surge in RAGroup Ransomware

NCC Group analyst Dylan Gray explained one possible cause of RAGroup’s surge in activity. It could be a group restructuring or the influence of new members impacting the group’s workflow.

“It is entirely plausible that a cause for the surge in activity is something circumstantial such as a phishing campaign being more successful, resulting in more accesses gained than in previous months,” Gray said.

However, with so little data to go on – only one month’s anomalous activity – speculation is unlikely to benefit security teams. “Rather, we can continue to observe the group’s activity to see if March’s activity levels are the beginning of a new trend, or if they will return to their previous activity levels,” Gray said.

Should a group in the ransomware threat landscape run afoul of law enforcement efforts—as happened to LockBit 3.0 earlier this year—there is a potential for the overall ransomware threat landscape to experience a massive dip in activity. This would likely result in a temporary vacuum with surviving groups competing to recruit core members (i.e. operators) of the disrupted group, surviving operators banding together and using their experience to rebrand/form a splinter group, or ex-affiliates of the now disrupted group partnering with other ransomware operators.

“Such disruptions would cause only a temporary dip in global ransomware activity before inevitably returning to the trend we have observed over the last number of years of increasing activity levels,” Gray said.

Xen Madden, cybersecurity expert at Menlo Security, cautioned that the surge in RAGroup’s operations since December 2023 might not fully represent real-time activities. “A strategy that threat actors commonly use is that they delay publicizing victim data to amass a significant number of targets, a tactic that appears to be gaining popularity among cybercriminals,” Madden said.

This strategy not only inflates perceived threat levels but also manipulates the cybersecurity landscape by introducing sudden perceived increases in threat actor capabilities.

Defense Against Escalating Threats

Darren Guccione, CEO and co-founder at Keeper Security, said to defend against the rapid escalation in ransomware threats posed by established threat actors like RAGroup and Play, it’s crucial for organizations to implement a zero-trust security model to enhance their cybersecurity posture.

“When it comes to ransomware or any other cyber threat vector, the best offense is a good defense,” Guccione said. “A cybersecurity strategy and prudent investment are essential to prevent these types of cyberattacks because no organization is immune.”

A zero-trust security model with least privileged access and strong data back-ups will limit the blast radius if a cyberattack occurs, Guccione said. “Strong identity and access management at the front end will help prevent the most common cyberattacks that can lead to a disastrous data breach.”

A Dynamic Ransomware Landscape

The ransomware landscape has always been a dynamic and interesting world where groups come and go. “The emergence of new groups is typical in the cybercriminal ecosystem, where longevity can vary dramatically,” Madden said. “This is a routine aspect to monitor rather than a novel threat.”

However, when a new group emerges and makes a noticeable impact on the community by affecting either a significant number of businesses or a large business, it becomes clear.

“As far as LockBit goes, the community notes that many of LockBit’s recent victim disclosures may include outdated or duplicate data, suggesting possible operational difficulties, which has led to affiliate distrust,” Madden said t explained. “And what is a ransomware group without its affiliates?”

Photo credit: Dylan Calluy on Unsplash