Ransomware attacks in November rise 67% from 2022

Dec. 21, 2023
As the third most active month of the year, ransomware levels in November have taken the total number of global ransomware attacks to 4,276 cases so far.

  • Total ransomware cases up 30% from October
  • Industrials (33%), Consumer Cyclicals (18%), Healthcare (11%), remain most targeted sectors
  • North America (50%), Europe (30%) and Asia (10%) continue to be top three targeted regions

Global levels of ransomware attacks rose 30% in November, with a total of 442 attacks, following a lower volume of attacks in October (341) according to NCC Group’s November Threat Pulse.

As the third most active month of the year, ransomware levels in November have taken the total number of global ransomware attacks to 4,276 cases so far, surpassing predictions that the total figure would hit 4,000 with one month of 2023 still to go.

Industrials sector continues to be hardest hit

Following the trends witnessed across the year so far, Industrials was the most targeted sector in November, with 146 (33%) of all attacks, marking a 28% increase from October (114 attacks).

The data reveals that Industrials continue to be prime targets for the breadth and diversity of organizations in the sector and their vast amounts of PPI and IP data. As Industrials are focused on digitalization to enhance efficiency and productivity, there is a greater risk of ransomware attacks.

Consumer Cyclicals is the second most targeted sector with 78 (18%) of attacks, with Healthcare also holding its third place spot from October with 50 (11%) of attacks. Another month of high levels of ransomware for healthcare indicates a concrete shift in the threat landscape for the sector.

LockBit remains a dominant player

In November, LockBit was the most active threat actor, with a 73% month-on-month increase in activity from 66 attacks recorded in October. Data from across this year shows that LockBit has maintained its position as the most prominent threat actor, except in the months March, June and July when CLOP’s mass exploitation of GoAnywhere and MOVEit vulnerabilities put them in top spot.

BackCat takes second place in November with 49 (11%) of attacks and a month-on-month increase of 58%. Play drops down from the 2nd most active group in October to third in November, responsible for 10% of all attacks. November’s data marks the most active month for Play recorded by NCC Group. The top three threat actors in November were in total responsible for 206 (47%) of all attacks.

Ransomware attacks in Europe rise

As expected, Europe and North America witnessed with majority of attacks in November. Consistent with this year’s trends, North America remains the most targeted region with 219 (50%) of attacks.

Ranking the second most targeted region, Europe witnessed 135 (31%) of attacks, an increase by 36 following 99 attacks in the region in October. Asia took third place with 46 (10%) attacks and overall, November saw an increase (from 3 to 7) in the number of undisclosed targets, meaning unrevealed regions.

Spotlight – The return of Carbanak

November saw a return of the well-known banking malware Carbanak in ransomware attacks. First emerging in 2014, Carbanak malware has been used by ransomware gangs to infiltrate financial systems by deploying advanced phishing techniques to compromise bank employees. The malware allows threat groups to gain access to networks through human entry points, and criminals to take control of payment processing services.

Carbanak’s popularity had fallen until November, but last month’s use of the malware returned having evolved over recent years. The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness. Carbanak retuned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software. Imposters in November included the CRM platform HubSpot, data management software Veeam and account tool Xero.

Matt Hull, Global Head of Threat Intelligence at NCC Group said: “After a dip in ransomware levels in October, the return to another active month in November brings the total number of ransomware attacks in 2023 beyond what we predicted. With one month of the year still to go, the total number of attacks has surpassed 4,000, which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year.

“As we’re nearing the end of the year, it’s important for businesses to remain prepared and not become complacent. In the lead up to Christmas, ransomware groups are typically active to push profits before taking a somewhat break over the festive period. As we look to the new year, with the Industrials sector in particular remaining the most attractive sector for ransomware gangs, cybersecurity must be a key priority for the industry to improve supply chain resilience.”