Ransomware attacks rise by 19% in October according to NCC Group

Ransomware attacks saw a 19% increase in October, totalling 486 incidences globally, compared to the 407 cases reported in September.

According to NCC Group's October Threat Pulse, RansomHub was the most active threat actor for the month, accounting for 14% of the attacks conducted by the top 10 groups. RansomHub's activities included a notable ransomware incident targeting a Mexican airport operator managing 13 airports, which forced the organisation to operate on backup systems, demonstrating the potential for considerable disruption to Critical National Infrastructure (CNI).

The Industrials sector remained the primary target of these attacks, representing 30% of reported cases, equivalent to 148 attacks. This sector saw a significant month-on-month increase, rising by 45 incidents compared to September's figures. Consumer Discretionary followed with 100 attacks, while Healthcare accounted for 55 cases.

The geographical distribution of attacks indicated that North America and Europe were the most affected regions, together encompassing 76% of global ransomware incidences. North America alone accounted for 56% (272 attacks), showing a notable increase from the 233 cases reported for the region in September. Russian state-sponsored threat actors were highlighted as active in the lead-up to the United States election, contributing to North America's high share.

Europe accounted for 20% of the attacks with 97 incidences. Asia saw a rise from 46 cases in September to 68 in October, while South America faced 20 attacks, one fewer than the previous month. Oceania experienced an increase to 14 cases from 8 in September, and Africa's figures remained unchanged with five recorded cases.

Highlighting the disruptive nature of ransomware, Casio experienced a ransomware attack on 8 October 2024. The electronics company confirmed that the Underground group, linked to the Russian cybercrime entity Storm-0978, was responsible for the attack. The breach resulted in unauthorised access to the personal information of employees, job candidates, and business partners, although no credit card information or critical services were compromised. System outages following the incident disrupted services and operations, particularly in Japan, impacting order processing and shipments.

The attackers employed a double-extortion strategy, encrypting and exfiltrating data before making ransom demands. While the exact entry point remained unknown, vulnerabilities such as CVE-2023-36884 in Microsoft Office were identified as potential vulnerabilities. Despite efforts to recover, Casio continued to struggle with system restoration and operations two weeks after the attack.

Matt Hull, Head of Threat Intelligence at NCC Group, provided his insights on the findings: "With material political events on the horizon in October, it's no surprise that we are witnessing an increase in the overall volume of cyber crime activity. Geopolitical motivations like the US election showed that nation states, such as Russia, continue to have heavy influence on global volume of cyber attacks. Overall, the consistent threat to Industrials as the most targeted sector, again highlights the necessity of vigilance for CNI."

He added: "The data shows that are witnessing changing dynamics of the threat landscape, with nation-states and organised crime groups increasingly collaborating. As different threat actors leverage each other's resources, it is crucial for organisations to ensure that they're on top of fundamental security practices such as password management, endpoint security, and Multi-Factor Authentication."

Hull concluded by stating: "As demonstrated through the focus on CNI, attacks are becoming less random and more targeted to organisations that will experience maximum impact. Those who rely on 'up-time' and hold large amounts of intellectual property or personally identifiable information are high-value targets."