cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

The weekly ransomware report, Friday, 23 February

Ransomware incidents drop drastically, and not just because LockBit is out of the picture.

user icon David Hollingworth
Fri, 23 Feb 2024
The weekly ransomware report, Friday, 23 February
expand image

The big news in ransomware this week isn’t an attack or even lots of attacks – it’s the takedown of the most prolific ransomware group in the world, LockBit.

A Europol-led investigation seized the gang’s infrastructure, made a handful of arrests, and then used the group’s own darknet leak site as a media centre to talk up the operation. Wild stuff, and of course, it’s already had an impact on global ransomware activity.

Attacks this last week were down from 119 in the previous seven days to 51 – a 62 per cent drop.


Now, of course, this is in part because LockBit’s no longer making numbers – the gang was responsible for a third of all attacks last week and has been the number-one operator for some time. But no more. The top spot this week falls to Hunters International, with 11 attacks, making up 22 per cent of the global total.

But that’s not the whole picture, as pretty much every ransomware group was far less active this week. Black Basta picks up second with eight attacks, followed by Akira, ALPHV, and 8Base with four incidents apiece. A few new entrants in the top five this week, but both ALPHV and Hunters had lower numbers this week.

Not sure what to make of it – did some of the gangs see the writing on the wall for LockBit and decide to lay low? Unlikely, but something seems to have been off this week across the board.

What’s really fascinating, though, is despite LockBit’s takedown, the tracked threat actors this week have actually risen by one to 58 – that means two new ransomware groups have emerged.

The first is Mogilevich, which claimed the scalp of US vehicle manufacturer Infiniti on 20 February. The next new group is Trisec; it claims to have exfiltrated data from Toyota Ireland and posted a ransom demand on 17 February. We’ll be trying to learn a little bit more about these new criminals on the block next week.

Looking at the longer trend lines, the rolling three-month figure is continuing to trend upward, with 45 per cent more attacks observed for that period, while the three-month trend remains downward. It’s going to be interesting to see the impact of the biggest player on the field being taken off in the month to come.

The good old US of A remains the most attacked country again, a trend we cannot see changing any time soon. It’s simply a very big target, and with so many Russian groups operating with the blessing of the Kremlin, it’s no surprise that America is a prize worth taking. It’s also the largest economy in the world, so it’s also a juicy one.

It’s worth noting that the second-largest economy, China, never shows up in this reporting – the Great Firewall of China really works, apparently.

Australia is in the top five again, sadly, with three attacks in the last seven days – we’re investigating all of them.

The UK is third with three attacks, and France and Italy round out the top five with two incidents each.

The manufacturing sector was the most targeted this week, with five ransomware victims coming from this sector. IT services is next, dealing with four attacks, with construction, machinery manufacturing, and real estate rounding things out. Each sector saw three organisations fall victim to a ransomware attack.

This week goes to show that even ransomware operators have good weeks and bad weeks. LockBit arguably had the worst week of all, but every gang was less active in the last seven days. I suspect trends are going to be hard to spot on a weekly basis, as they only become clearer at the macro level – which makes sense, I guess.

Still, it’s amazing to see the impact of LockBit’s dissolution. That said, will they be down for long? ALPHV, the fourth-most active player this week, had its darknet infrastructure seized late last year, set itself back up, and was then taken down again in January. But the gang is still claiming victims.

Will LockBit rise from the ashes as LockBit 4.0? Watch this space.

Just the numbers

Fifty-one attacks in the last seven days, down 62 per cent from last week.

Most active threat actors

Hunters International – 11, twenty-two per cent of the total
Black Basta – 8
Akira – 4
8BASE – 4

Top countries impacted

USA – 33 organisations targeted
Australia – 3
UK – 3
France – 2
Italy – 2

Top industries targeted

Manufacturing – 5
IT services – 4
Construction – 3
Machinery manufacturing – 3
Real estate – 3

A total of 4,244 ransomware findings so far this year, and 58 threat groups tracked.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.