The latest NCC Group research shows ransomware attacks nearly doubled in 2021 with the Conti gang the most prevalent threat actor.

According to the NCC Group’s 2021 Annual Threat Monitor, ransomware attacks jumped almost 93% year over year. Attacks totaled nearly 2,700, compared to fewer than 1,400 in 2020.

This builds on a gradual, but noticeable rise in ransomware attacks since the COVID-19 pandemic began. Ransomware accounted for more than 65% of all incidents dealt with by NCC Group’s global cyber incident response team (CIRT) in 2021.

Throughout the year, attacks were most commonly targeted at the public and industrial sectors, followed by consumers.

The most consistently targeted regions during 2021 were North America and Europe, accounting for 53% and 30% of all attacks, respectively. These regions are densely populated with wealthy organizations. That provides an incentive to threat actors that employ a big-game-hunting methodology. This involves targeting larger enterprise companies knowing they can afford to pay higher ransoms.

Small Number of Ransomware Groups Dominating

Ian Usher is NCC Group‘s deputy global practice lead of strategic threat intelligence.

NCC Group’s Ian Usher

“The dominance of a small number of ransomware groups was somewhat surprising,” he said. “We were expecting a reduction in activity following the international law enforcement attention on ransomware following the high-profile Kaseya and Colonial pipeline incidents. There was a significant drop in activity in June and July, but then we saw Lockbit 2.0 return to the scene, and they and Conti have since dominated the landscape.”

Conti, a Russia-based global threat actor that emerged in 2017, represented 18% of all attacks across the past two years. In line with the general trends, the industrial sector was Conti’s main target. Similarly, in line with general trends, North American businesses topped Conti’s list of targets followed by Europe.

“We reported on the Conti ransomware group in [the third quarter] of 2021 after getting the opportunity to assess leaked playbooks and training materials associated with this group,” Usher said. “What we identified was an operation being run very much like a business enterprise, with thorough recruitment and training processes. This material did not reveal any novel techniques or procedures, so the prominence can only really be attributed to the scale of the operation, which is made possible by the business model.”

Lockbit 2.0 Also Noteworthy

Elsewhere, another notable group that highlighted the changing nature of the vulnerability landscape was the Lockbit threat actor. After a brief hiatus and metamorphosis into Lockbit 2.0 in June 2021, the group became one of the biggest contributors to double extortion ransomware in 2021. It accounted for more than 16% of the entire year’s ransomware cases. This contrasts their activity in 2020, in which they were absent from the list of the top 10 threat actors.

“After a turbulent year for ransomware operators, we’re seeing similar patterns,” Usher said. “In January 2022, we observed a 36.6% decrease in ransomware attacks compared to the month before. But despite this, we also saw significant ransomware-related incidents in Europe. On Jan. 29, ransomware crippled the IT systems of 17 European oil ports, affecting dozens of terminals, oil storage and global transport operations. The targeting of other major critical infrastructures at Zurich Swissport has raised additional concerns around the threats to European businesses, particularly as the EU navigates Russian-Ukrainian tensions. We expect to see ransomware continue to dominate the threat landscape and further international law enforcement efforts aimed at the groups causing the greatest problems.”