Ransomware attacks set to break records in 2023

Ransomware attacks continue at a record-breaking pace, with Q3 2023 global ransomware attack frequency up 11% over Q2 and 95% year-over-year (YoY), according to Corvus Insurance.

In its Q2 2023 Global Ransomware Report, Corvus noted a significant resurgence in global ransomware attacks, which has continued through the third quarter. Now, with two months remaining in the year, the number of ransomware victims in 2023 has already surpassed what was observed for 2021 and 2022. If the trajectory continues, 2023 will be the first year with more than 4,000 ransomware victims posted on leak sites (2,670 in 2022).

Two key factors drove the elevated Q3 ransomware numbers.

CL0P fuels 2023 surge

The CL0P ransomware group has played a major role in this spike in 2023 ransomware activity. CL0P sprung to life in Q1 by exploiting GoAnywhere file transfer software, impacting over 130 victims. In Q2, CL0P struck again with the solo use of a mass zero-day exploit by a ransomware group targeting a vulnerability in the MOVEit file transfer software, which impacted 264 victims at the time of this report.

The single MOVEit vulnerability accounted for 9% of the victims in Q2 and 13% in Q3. Even without these CL0P spikes in attack activity, ransomware numbers would still be up 5% over Q2 and 70% YoY in Q3.

Threat actors cut summer breaks short

Ransomware typically follows seasonal patterns, with incidents decreasing in early May and remaining low through early August. Driven largely by CL0P, this year’s dip in attacks occurred later in June and, rather than continuing to fall, spiked and remained high through the first half of August. Even without CL0P, ransomware activity would still amount to a 70% year-over-year increase.

“It’s clear that ransomware attacks are on a record-setting pace for 2023, and based on activity at the end of Q3 and early Q4, we fully expect these numbers to surpass anything we have witnessed in previous years,” said Jason Rebholz, CISO, Corvus Insurance.

“Aside from these overall numbers, this report demonstrates the impact that a single ransomware group like CL0P can have when they invest in new tactics, which is what we saw with the mass zero-day exploit that wreaked havoc over the second and third quarters,” Rebholz continued.

The Q3 report also examines which industries experienced the largest spikes in ransomware activity. These include:

• Law practices – An uptick due in part to the ALPHV ransomware group, which accounted for nearly a quarter of all victims in this industry (+70%).
• Government agencies – The impetus behind these attacks was LockBit, which tripled its government victims from Q2 to Q3 (mostly cities and municipalities) (+95%)
• Additional industries that experienced spikes include manufacturing (+60%), oil and gas (+142%), and transportation, logistics and storage (+50%).

“Ransomware actors can quickly pivot their focus, and no industry is immune. There’s no better time to ensure the right security controls are in place to mitigate the threat,” Rebholz concluded.