The cyber threat to companies providing IT, finance, and other consulting and contract services surged in the first quarter, pushing the sector to become the top target of ransomware in the U.S., according to Trellix’s recent report.

The security company uses proprietary data from its over one billion sensors and open-source intelligence, plus its threat labs’ investigations on ransomware, nation-state activities, and other threats for the report. 

The report found that business services accounted for 64% of Trellix’s total U.S. ransomware detections and was the second most targeted sector globally. This demonstrates cybercriminals’ desire to disrupt multiple companies with one attack, researchers noted. 

Telecom led the top 10 global customer sectors with 53% ransomware detection, followed by business services, media and communications, finance, and transportation and shipping. 

Additionally, the report showed a significant drop in global activity from the largest ransomware gangs such as Lockbit (44%), Conti (37%), and Cuba (55%) , compared to the last quarter of 2021.

In the U.S., Lockbit accounted for 26% of top-10 ransomware tool queries, followed by Conti (13%), BlackCat (11%), and Ryuk (10%), according to the report.

Researchers also found a new trend that these ransomware families publicly align themselves with nation-states to target critical infrastructure. Based on the leaked chats from Conti, the group publicly expressed allegiance to the Russian administration, which “seem to confirm the government is directing cybercriminal enterprises,” they noted.

“Adversaries know they are being watched closely; the absence of new tactics observed in the wild during the war in Ukraine tells us tools are being held back,” warned Christiaan Beek, lead scientist and senior principal engineer at Trellix. “Global threat actors have novel cyber artillery ready to deploy in case of escalation and organizations need to remain vigilant.”

Among Trellix’s nation-state client countries, activities targeted Turkey accounted for 31% in the first quarter, along with Israel (18%), the United Kingdom (11%), Mexico (10%), and the United States (8%) as the top five counties with the highest nation-state activity detections. 

For open-sourced, publicly-reported cyber incidents, Russia recorded the highest increase by 490%, while the U.S. was the country with the most reported incidents in the first quarter, accounting for 35% of the incidents.