The ransomware threat landscape is experiencing renewed momentum after a temporary contraction. Fresh intelligence data from NCC Group reveals that established ransomware-as-a-service operations are driving this resurgence.

Through continuous surveillance of ransomware group leak sites and systematic extraction of victim disclosure data, security researchers identified Lockbit as July's dominant threat actor, responsible for 62 documented compromises. This represents a ten-incident increase from the previous month and exceeds the combined output of the second and third-ranked groups by more than double. The research team emphasized that Lockbit 3.0 has solidified its position as the preeminent ransomware threat, warranting heightened organizational awareness across all sectors.

The runner-up positions belong to Hiveleaks with 27 documented attacks and BlackBasta with 24 incidents. Both operations have demonstrated explosive growth trajectories, with Hiveleaks posting a remarkable 440 percent month-over-month increase since June, while BlackBasta expanded its operations by 50 percent during the same period.

The correlation between the overall ransomware resurgence and the accelerated growth of these two specific threat groups appears significant and potentially interconnected.

Analyzing the Ransomware Activity Rebound

NCC Group's threat intelligence documented 198 successful ransomware operations throughout July, marking a substantial 47 percent escalation from June's figures. While this uptick is noteworthy, it remains below the peak activity observed during the spring months, when both March and April recorded nearly 300 campaigns each.

Understanding the Activity Fluctuations

The May timeframe saw intensified focus from United States authorities targeting Russian cybercriminal infrastructure, including the announcement of reward incentives reaching $15 million for actionable intelligence regarding Conti, which at that time represented the most formidable ransomware operation globally. The report's authors suggest that threat actors were likely undergoing organizational restructuring during this period, and have subsequently stabilized their operational frameworks, resulting in the observed increase in successful compromises.

Hiveleaks and BlackBasta emerged from this reorganization process. Both operations maintain documented connections to Conti, with Hiveleaks functioning as an affiliate network and BlackBasta serving as a successor variant. The research indicates that Conti's operational capabilities have rapidly reintegrated into the threat ecosystem, albeit through rebranded entities.

With Conti's infrastructure now effectively bifurcated into distinct operations, the analysts project that attack volumes may continue their upward trajectory into August as these reorganized groups reach full operational maturity.