Based on dark web tracking, Corvus has previously reported on the notable resurgence of global ransomware attacks in Q1 2023. Q2 saw a further increase with 1,149 victims observed on ransomware leak sites. This is a 29% increase over Q1 and a steep 72% increase YoY. This report will discuss current trends and contributing factors to the increase in ransomware activity in 2023.
Now halfway through 2023, it’s clear to see that the ransomware resurgence is here to stay. Corvus observed two key factors that have contributed to the elevated numbers through Q1 and into Q2.
CL0P made headlines in Q1 and again in Q2 with the mass exploitation of a single vulnerability. Usually fairly quiet, CL0P sprung to life in Q1 by exploiting GoAnywhere file transfer software impacting over 130 victims. In Q2, they followed up with the mass exploitation of a zero day vulnerability in MOVEit file transfer software with a growing number of victims currently at 259 at the time of this report. These vulnerabilities accounted for 12% of total ransomware victims in Q1 (GoAnywhere) and 9% of Q2’s total (MOVEit). This added to the topline of an already steadily increasing victim count. Even without CL0P’s spikes in attack activity, ransomware numbers are still climbing. Removing CL0P from the analysis, ransomware is still up 35% since Q1 and 50% since Q4 2022.
Departing from its usual modus operandi of stealing data and encrypting files, the group chose only to steal files in these attacks. This made the attacks more nimble, stealthy, and scalable. In addition, by proactively exploiting vulnerabilities rather than waiting for exploits to be publicly released, CL0P gained a quick monopoly on the victim pool.
Another possible explanation for the increase is that there are simply more active ransomware groups. In Q1 2022, Corvus observed 35 groups operating leak sites. This grew 25% through Q2 2023, when Corvus observed 44 active ransomware leak sites. As well-known ransomware groups fractured, their proprietary encryptors leaked on the dark web. This allowed a number of new actors to freely deploy the malware, using it to start their own ransomware operations. Similarly, operators from defunct groups have been observed moving to others or starting their own.
It isn’t just more ransomware groups and more victims, ransomware severity is also increasing. According to payment solution provider, Digital Asset Redemption, ransom demands and payments are up in Q2 2023. Much as ransom victims overall, the numbers here may be pulled upwards by CL0P demanding higher ransoms for its MOVEit data theft and extortion attacks.
More ransomware groups extorting more victims and demanding higher ransoms is a perfect storm for both increased frequency and severity of ransomware worldwide.
A number of sectors have seen notable and sustained increases in the number of ransomware victims over the past six months, with further spikes in Q2. The reason for these increases can be due to a number of factors, two of which are worth mentioning here:
Intentional targeting can be observed when a ransomware group has a disproportionate number of victims within a specific vertical over a long period of time. AlphVM is an example of deliberate targeting with the group making up 10.44% of all victims in the legal industry from 2021 - 2022.
Vice Society and PYSA are also known to attack higher education with the groups claiming 16.30% and 15.22% of higher education respectively (prior to 2023).
But industry movement in Q2 was predominantly due to opportunistic attacks where threat actors exploit a technology used more in some industries versus others.
Sudden industry-specific spikes often indicate the exploitation of a particular technology commonly used by certain industries. Many of the industry increases this quarter were due to the popularity of GoAnywhere and MOVEit within certain sectors, which explains why Financial Services and Insurance were most heavily impacted.
The future is hard to predict but here are two significant developments to keep an eye on:
YoY numbers will likely remain high. Based on the current trajectory, 2023 will likely be a record-breaking year, surpassing both 2021 and 2022 numbers. In the past, the monthly number of ransomware leak site victims only exceeded 300 per month on three occasions in 2021. So far in 2023, monthly ransomware victims posted on leak sites exceeded 300 for the last five (soon to be six) months in a row. We expect that despite monthly variation, ransomware numbers in 2023 will continue to see inflated numbers over prior years with consistent YoY inflation. While we may see some ransomware activity decrease in the late Summer based on past patterns, more increase is probable in Q3 - Q4 2023.
Expect threat actors to continue exploiting file transfer and storage solutions. The campaign against GoAnywhere (Q1 2023) and MOVEit (Q2 2023) marks the third incident in which CL0P has utilized mass exploits against file transfer solutions, their first being in Q1 2021 with Accellion file transfer appliances. This is proving to be a profitable approach for an otherwise understated group and may set the trend for other groups looking for ways to gain new victims.
As Q2 2023 draws to a close, the alarming surge in ransomware attacks serves as a stark reminder of the ongoing battle against cybercrime. Threat actors are taking a proactive approach in exploiting new vulnerabilities and a number of new groups may be signaling even further increases later in the year. As ransomware gangs are getting even further ahead of the vulnerability curve, vulnerability management is even more crucial for businesses going into H2 2023.
Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.
Corvus analysis was made possible with supporting data from Digital Asset Redemption and eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.