LockBit, the largest and most prolific ransomware group in the world this year, saw its activity plummet last month.
Researchers with infosec consultancy GuidePoint Security say that during October, ransomware attacks attributed to Lockbit were down 49%. The drop helped to drive a 7.3% overall decline in ransomware attacks for the month.
The GuidePoint monthly report showed the decrease was extremely top heavy, and surges in activity from a number of smaller ransomware families helped to partially cancel out the decline from LockBit, which recently saw one of its members arrested in Canada.
Due to its dominance of the ransomware space, LockBit remains by far most prolific ransomware-as-a-service (RaaS) operation even after its monthly lapse, still accounting for more than half of all reported infections in GuidePoint’s report.
Nic Finn, threat intelligence consultant at GuidePoint, told TechTarget Security that the decline is not likely to be due to any sort of internal strife or organizational problems at LockBit. Rather, it’s a product of decreased activity from the affiliate hackers that actually spread the malware.
Finn explained that while there’s no way to be sure what exactly cause the dip, one possible factor might be LockBit’s relatively stringent rules for affiliate hackers.
“LockBit has strict policies against running their tools against healthcare and against some certain countries,” Finn explained. “Some of these affiliates might not be getting a better deal, but they are transitioning towards organizations that let them target specific industries and get a better bounty.”
One point in support of this theory is a recent rise in attacks on healthcare companies. The sector climbed to the number two spot, behind manufacturing and ahead of education.
In addition to Lockbit’s decreased activity, GuidePoint researchers also noticed an unusually high number of ransomware gangs go dark this month, with some groups shutting down their sites completely. Ransomware gangs that apparently shut down include Cheers, which emerged earlier this year, and Sparta, which first launched attacks just last month.
“It was definitely anomalous to have that many groups go offline at the same time,” said Finn. “It is one thing to go silent with their posts, but we saw a couple groups shut down their sites as well.”
Unfortunately, where attacks from Lockbit and the other groups declined, GuidePoint reported that eight of the smaller RaaS operations increased their attacks by five or more victims for the month.
The GuidePoint team found that groups such as AlphV (up 79%), BlackBasta (32%) and BianLian (367%) all saw an increase in activity. This helped to keep attack rates fairly high and limited the overall dip in activity to just over 7%.
While the numbers could indicate changes in the ransomware landscape, one month is a very small sample size for analyzing activity; GuidePoint said that quarterly reports and larger time frames will provide a better picture of the landscape.
Comments are closed.