Ransomware attacks are roaring back.
LockBit’s crew alone bagged 62 victims last July. That’s ten more than June. More than twice the runners-up combined. Pathetic, right? NCC Group’s data—scraped straight from leak sites—paints a grim picture. These clowns aren’t innovating; they’re just grinding harder.
“Lockbit 3.0 maintain their foothold as the most threatening ransomware group,” the authors wrote, “and one with which all organizations should aim to be aware of.”
Hiveleaks? Twenty-seven attacks. BlackBasta? Twenty-four. Both exploding—Hiveleaks up 440% from June, BlackBasta 50%. Coincidence? Hardly. Total campaigns hit 198. Up 47%. Still shy of spring’s 300-peak frenzy, but who’s counting?
Why the Hell Is Ransomware Bouncing?
Blame Uncle Sam. May’s $15 million bounty on Conti—the ex-kings—shook things up. Russian cyber goons scrambled. Restructured. And poof—Hiveleaks and BlackBasta emerge, Conti affiliates in disguise. One’s a splinter affiliate. The other’s a fresh strain. Conti’s ghost haunts the dark web.
Researchers speculate these groups are settling in. Compromises climbing. August? Expect fireworks. It’s like whack-a-mole with malware. Hit one head, two pop up meaner.
But here’s my take—the unique bit nobody’s shouting: This mirrors the WannaCry fallout in 2017. Governments patted backs after patching exploits, but North Korea’s hackers just pivoted to ransomware franchises. Conti 2.0 now? Same script. Sanctions breed hydras. Bold prediction: By year’s end, we’ll see 400+ monthly attacks as these RaaS relics evolve, blending AI for smarter evasion. Corporate PR spins “resilience”—bull. It’s denial.
Look, LockBit’s no newbie. They’ve been at it since 3.0 dropped. Footprint massive. Why do they thrive? Lazy backups. Unpatched Windows. Phishing chumps. Organizations pat themselves on the back for “awareness training,” then pay the ransom anyway.
Is LockBit Unstoppable?
Nah. But close. Sixty-two attacks? That’s a spree. Victims spilling data on leak sites faster than you can say “extortion.” NCC monitored every post. Every brag. It’s a ransomware-as-a-service empire—affiliates grab the glory, LockBit takes the cut.
Hiveleaks and BlackBasta? Conti’s rejects, sure. But they’re hungry. No baggage. Rapid rises scream opportunity. Conti imploded under pressure—FBI seizures, arrests. Now? These pups inherit the throne.
And the flux? Post-Conti chaos. Groups rebrand. Reaffiliate. Output surges. It’s not resurgence; it’s reincarnation. Governments crow about bounties, but cybercriminals laugh. Why? Because boards still greenlight weak security to chase quarterly profits.
Short version: We’re screwed if we don’t wise up.
Dry fact: July’s 198 beats June’s dip. Spring highs loom. LockBit’s lead? Untouchable. But watch BlackBasta—they’re nipping heels.
What Does This Mean for Your Sorry Setup?
Panic? Maybe. But act. Patch everything. Segment networks. Test backups—offline, air-gapped, idiot-proof. RaaS means anyone with a grudge can play. Not just nation-states.
NCC’s report calls it a “resurgence led by old RaaS groups.” Old? Try battle-hardened. LockBit’s toolkit? Polished. Encrypts fast. Leaks ruthless.
Critique time: Companies spin these reports into “invest in us.” Bullfeathers. It’s your CISO’s job to not be the next leak-site star.
Here’s the sprawl: Imagine Conti leakers feeding Hiveleaks intel—old TTPs refined, new zero-days sprinkled in. We’ve seen it before with REvil post-Colonial Pipeline. Feds disrupt, gangs diffuse. Result? Broader threat. Prediction: Q4 brings double-digit growth in double-extortions. Data theft plus lockdown. Pay or pray.
Single line: Boards, wake up.
Dense dive: BlackBasta’s 50% jump? Ties to Conti’s codebase. Same evasion tricks—living-off-the-land, Cobalt Strike beacons. Hiveleaks? Pure affiliate hustle. 440%? That’s viral. Leak sites buzzing. Victims from healthcare to manufacturing. No sector safe. NCC scraped it all: Names, dates, proofs. Undeniable.
Why Ransomware Keeps Winning
Economics, dummy. RaaS lowers the bar. Script-kiddies pay up, attack pros handle ops. LockBit’s dashboard? User-friendly evil. Affiliates vote on victims. Democracy for data destroyers.
Government flex? Backfires. Conti bounty scattered talent. Now diluted, deadlier. Historical parallel: Like the Morris Worm birthing antivirus industry—ironically fueling blackhat tools.
So, yeah. Ransomware attacks are the gift that keeps extorting.
**
🧬 Related Insights
- Read more: 84% of Attacks Hijack Your Own Tools – And You’re Still Blind
- Read more: 766 Next.js Servers Gutted by CVE-2025-55182: Hackers Snag Keys, Secrets, and Your Whole Damn Infra Map
Frequently Asked Questions**
What caused the ransomware attack surge in July?
Conti’s breakup after US bounties birthed aggressive splinters like Hiveleaks and BlackBasta, plus LockBit’s dominance—198 total campaigns, up 47%.
Which ransomware group is most active right now?
LockBit, with 62 attacks in July per NCC Group data. They’re the undisputed champ, far ahead of the pack.
Will ransomware attacks keep rising?
Likely yes—splinter groups are settling in, and history shows disruptions just spawn new threats. Expect 300+ by fall.
