Ransomware attacks jump as new malware strains proliferate, research finds

Ransomware cases increased 47 percent amid a rise in attacks involving new strains of malware from the LockBit cybercrime syndicate.
(Art Alex/Getty Images)

Ransomware cases jumped 47 percent amid a rise in attacks involving newer strains of malicious software infecting targets, according to the cybersecurity firm NCC Group.

Reported incidents increased to 198 in July from 135 in June, according to the firm that issues semi-regular reports on ransomware activity by tracking websites that post victims’ details.

Just this week, ransomware attackers associated with LockBit, which has been deploying a potent new version of its malware, hobbled a French hospital, causing some patients to have to be redirected to other facilities.

LockBit was associated with 62 incidents in July, according to NCC Group, nearly 20 percent higher than its June total of 52 known incidents. LockBit remains “the most threatening ransomware group, and with which all ogranisations should aim to be aware of,” the company wrote.


Hive and BlackBasta are following LockBit in the number of reported attacks. Both of those groups have connections to Conti, once the most prolific ransomware group before a fracturing of sorts in the wake of the Russian invasion of Ukraine. Ransomware groups are made up of a core group of developers working with affiliates, with some splinter outfits working with multiple groups at a time.

NCC Group’s report also noted the continued activity of North Korean cyber criminals tracked broadly under the name Lazarus Group. In April, the group was tied to a $625 million cryptocurrency theft, and in early July a trio of U.S. government agencies warned that a separate North Korean effort was behind the Maui ransomware variant that has been seen attacking healthcare and public health organizations. In June, Lazarus Group was reportedly behind a separate $100 million theft on California-based Harmony’s Horizon Bridge.

Lazarus Group has, at times, become a catch-all for a flurry of distinct and nuanced North Korean cyber activity, ranging from extortion to espionage to cybercrime, cybersecurity firm Mandiant explained in a March analysis.

Nevertheless, Lazarus is a significant, ongoing threat, said Matt Hull, the global head of threat intelligence with NCC Group.

“Lazarus Group seem to be improving their crypto-theft and ransomware operations, so it is more important than ever to monitor their activity closely,” he said in a statement issued with the July report. “Cryptocurrency organisations in the US, Japan and South Korea should remain on high alert.”

Latest Podcasts