While Leaves Fall, Ransomware Rises: Attacks Are Up 5.1% in September

Threat actors are starting Fall off by increasing ransomware numbers. Here’s what you need to know.

Executive Summary

Corvus observed 410 new ransomware victims posted to leak sites in September 2023.

• A 5.12% increase from the prior month.

• This also represents a 79.82% increase YoY.

• This is the ninth month in a row with a YoY increase in industry wide ransomware victims and the seventh month in a row with victim counts above 300.

Ransomware Analysis Detail 

Ransomware Attack Frequency Trends

Attacks picked up by 5.12% from August and remained high YoY (79.82% increase). September is the eighth month in a row with a YoY increase in ransomware victims, the sixth month in a row with victim counts above 300, and the fourth month this year with victim counts above 400.

We discovered a leak site in September belonging to a new ransomware group: LostTrustTeam. While the website featured 52 victims, we did not include these in September’s total numbers as we are uncertain when the attacks occurred. However, with their inclusion, September’s total would stand even higher at 462 victims.

This year’s Summer slowdown was shorter and came later than expected. If you blinked, you probably missed it. After two record-breaking months in June and July, ransomware decreased slightly in the first half of August. September shows a notable return to activity for ransomware gangs which, following seasonal patterns will likely continue to increase in Q4.

As we have reported for the past several months, the CL0P ransomware group utilized exploits to amass large numbers of victims, further inflating ransomware numbers for several months out of the year. Their campaign against MOVEit file transfer and storage software appears to have ended with no activity in September. The graph below shows ransomware metrics with CL0P removed from the analysis. While mass exploits add considerably to the total number of ransomware victims, there is a clear trend of steady increases even without CL0P’s outsized contribution. Viewed in this new light, September would actually be the most active month of 2023 without victims from mass exploits. The Q4 increase is also more stark.

New Ransomware Groups

Newly discovered leak sites this month include LostTrustTeam, ThreeAM, and CiphBit.

Corvus Threat Intel Team Notes

Corvus is closely monitoring three trends:

1. Seasonal variation in ransomware shows a Q4 increase.

2. The Summer decrease in 2023 was later and much less pronounced than usual, given CL0P’s use of a zero-day exploit against MOVEit.

3. Attack frequency remains high YoY.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.