NCC Group analysis identifies Lockbit as the most active ransomware-as-a-service provider in July, according to recent data. Researchers examined leak sites and victim details released during the month to track activity levels. This increase follows a previous dip, indicating a return to high-frequency campaigns by established providers.
Lockbit conducted 62 attacks in July, exceeding the combined total of the subsequent two groups. Hiveleaks recorded 27 incidents, while BlackBasta conducted 24. Secondary groups showed rapid expansion, with Hiveleaks increasing by 440 percent and BlackBasta by 50 percent since June.
The emergence of these secondary groups followed a United States government offer of $15 million for intelligence on the Conti threat group in May. Analysts posit that Conti operators reorganized under new identities, reintroducing variants to the threat ecosystem.
Successful ransomware campaigns totaled 198 in July, representing a 47 percent increase from June. Despite this growth, figures remain below the spring peak of nearly 300 campaigns. Experts anticipate further fluctuations as these groups consolidate their new operational structures.