A red lock representing cybersecurity is being destroyed.
Image: Ar_TH /Adobe Stock

You don’t need a ticket to the NYC Metropolitan Opera House to hear this refrain: DDoS, ransomware, botnets, and other attacks are on the rise. Actually, it might help, as the NYC Met Opera’s recent case of malware is emblematic of the growth trend.

According to NCC Group’s Global Threat Intelligence team, November saw a 41% increase in ransomware attacks from 188 incidents to 265. In its most recent Monthly Threat Pulse (you can subscribe to the downloadable report here), the group reported that the month was the most active for ransomware attacks since April this year.

Jump to:

Key takeaways from the study

  • Ransomware attacks rose by 41% in November.
  • Threat group Royal (16%) was the most active, replacing LockBit as the worst offender for the first time since September 2021.
  • Industrials (32%) and consumer cyclicals (44%) remain the top two most targeted sectors, but technology experienced a large 75% increase over the last month.
  • Regional data remains consistent with last month — North America (45%), Europe (25%) and Asia (14%)
  • DDoS attacks continue to increase.

Recent examples in the services sector include the Play ransomware group’s claimed attack of the German H-Hotels chain, resulting in communications outages. This attack reportedly uses a vulnerability in Microsoft Exchange called ProxyNotShell, which as the name implies, has similarities to the ProxyShell zero-day vulnerability revealed in 2021.

Also, back on the scene is the TrueBot malware downloader (a.k.a., the silence.downloader), which is showing up in an increasing number of devices. TrueBot Windows malware, designed by a Russian-speaking hacking group identified as Silence, has resurfaced bearing Ransom.Clop, which first appeared in 2019. Clop ransomware encrypts systems and exfiltrates data with the threat that if no ransom is forthcoming, the data will show up on a leak site.

Industrial sector takes the biggest hit from cyberattackers

The industrial sector, from consultancies to major manufacturers, accounted for 31% of all ransomware victims in November, per NCC, making it the most favored target for attackers, with 63–83 incidents during November.

Most recently, on Wednesday, Dec. 21, multinational steel giant ThyssenKrupp AG, in Germany, announced that both its headquarters and materials science division were attacked. This is just the most recent attack against the steel giant, which has been the target of data exfiltration, ransomware and other exploits dating back at least to 2014 when a Russian cyber-espionage attack damaged a blast furnace.

SEE: One in three organizations now hit by weekly ransomware attacks (TechRepublic)

The most targeted industrial verticals were professional and commercial services, machinery, tools, heavy vehicles, trains and ships, and construction and engineering. Notably, the professional and commercial services sector saw a 50% increase in attacks.

The study surmised that the increase may reflect a tactical focus less on operational disruption and more on data exfiltration and extortion.

Consumer and tech sectors experience increase in cyberattacks

Consumer cyclicals, including areas like automotive housing entertainment, was the second most targeted industrial sector, with a 44% increase in attacks versus October. And technology sectors were the third most targeted vertical, with a 75% increase in attacks from October. Victims in software and IT were most targeted, experiencing a 186% increase versus the month before.

“The prominence of attacks in software and IT is likely due to the supply chain compromise opportunities presented by these organizations,” said the study. “In addition, the intellectual property that many software and IT services orgs hold can be an attractive target for data exfiltration and extortion.”

The paper predicted continued focus on this sector by hackers.

Threat actors Royal and Cuba rise above LockBit in activity

The Royal and Cuba ransomware strains, constituting 16% and 15% of all cyberattacks, led the hacker pack, replacing LockBit 3.0 as the worst threat actor during the prior month. LockBit 3.0 contributed to 12% of attacks this month. Cuba has demanded over $60 million, with 40 attacks in November alone. The other major actors were Medusa, BlackCat, LV, Bianlian, Onyx, Vicesociety and Hive.

Royal headache from upstart ransomware strain

The study reported that the Royal ransomware strain, which appeared in January, 2022, was responsible for 43 of the 265 hack and leak incidents recorded in November. It targets Windows systems with a 64-bit executable written in C++. Files are encrypted with the AES standard and appended with the .royal extension.

SEE: Healthcare systems face a “royal” cybersecurity threat from new hacker group (TechRepublic)

Also distributed by the group DEV-0569, the Royal strain uses malvertising and phishing for initial access, with payloads leading to Batloader backdoor malware. The NCC study pointed to a Microsoft report noting the malware’s use of contact forms on specific company websites to deliver phishing links.

The Microsoft report also warned of Royal’s potential to be used as its own infiltration vehicle for hire, given that ransomware groups are also using the Royal strain already.

NCC reports an increase in DDoS disruptions

NCC’s report shows growth in DDoS attacks, which having decreased in 2021, are once again going strong — a trend the organization predicts will continue. Attacks actually reached an all-time high in Q1 this year.

“We recommend that all organizations familiarize themselves with their defensive infrastructure and assess if there’s a role for anti-DDoS mitigation tools,” the report said.

All told, there were 3,648 DDoS attacks in November, per the study, with the U.S. the most targeted country with 1,543 attacks, or 42% of all total observed DDoS attacks. NCC speculates that, beyond the U.S. being the most targeted country for attacks generally, the size of its threat surface, and unmitigated geopolitical tensions, the U.S. political midterms could have driven a spike in attacks.

SEE: Distributed denial of service (DDoS) attacks: A cheat sheet (TechRepublic)

China fell from the second most targeted DDoS victim to the seventh, from 150 events in October to 104, per the study, which reported France and Germany in the top three, going from 136 attacks each in October to 212 and 183 attacks in November, accounting for 6% and 5% respectively.

According to NCC, most November attacks lasted between two and five minutes. However, because a small number of attacks lasted for days, the average duration of an attack was skewed upward to 705 minutes.

Four of the attacks of longest duration in November targeted entities in the U.S.:

CountryAttack Duration
U.S.5.79 days
U.S.4.17 days
Germany2.92 days
U.S.1.46 days
U.K.1.04 days
U.S.24 hours
The Netherlands24 hours
Australia24 hours
The Netherlands24 hours

Defense is the best defense

Proactivity is key, and businesses should, at the very least, be taking a few human capital-centric steps to defend against attacks, according to an Immersive Labs poll of 35,000 cybersecurity experts. They include:

  • Organize IT teams and streamline responses, making sure everyone is on the same page
  • Make sure teams can adapt quickly to changing threats, including reducing analysis and reaction time
  • Ensure teams know the relevant operational programming languages at play
  • Bring in new talent

Looking for a streamlined, low-cost course to boost your cybersecurity skills? Watch this video to learn more about DDoS attacks and how to protect or operate from them. And then, learn how you can add cybersecurity skills to your IT career for $50.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday