<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

March 2023 Sees 60% Increase in Ransomware Attacks

Ransomware is up 60% from this time last year, and 141% from two years ago. 


Executive Summary:

Ransomware Data

  • Corvus observed 452 new ransomware victims on leak sites in March 2023. This is the highest monthly number observed in the past two years

    • 22% of March’s claimed ransomware victims were associated with the CL0P ransomware gang’s attack campaign targeting GoAnywhere. 
  • Attacks increased 31% YoY in February and 60% YoY in March 2023.

  • In March 2023, ransomware attacks against healthcare, municipalities, and telecommunications increased 800%, 750%, and 250% respectively, compared to the prior month (February 2023).

Analysis Detail

Ransomware Attack Frequency Details

After a notable decrease in 2022, ransomware is on the rise in 2023. Data drawn from our threat intelligence sources (not based on claims activity within Corvus’s own book of business) revealed that the overall number of ransomware victims listed on dark web leak sites increased 60% between January and February. It increased another 69% from February to March 2023.

Overall, March 2023 appears to be the month with the largest number of ransomware victims being posted to leak sites over the past two years.

[LINE GRAPH] Ransomware Victims by Month 2021-2023

The CL0P ransomware gang is partially responsible for the increased numbers in March. CL0P claims to have compromised over 130 organizations by exploiting vulnerable GoAnywhere file transfer software and began publishing victims en masse on its leak site. CL0P’s victims comprise roughly 22% of March’s total claimed ransomware victims. 

CL0P listed nearly as many victims in a single month as it did in all of 2021 and 2022 combined, indicating that the flurry of activity in March is not necessarily representative of their typical behavior. 

[LINE GRAPH] CL0P Ransomware Victims by Month from December 2020-April 2023

Even without CL0P’s contribution, the number of claimed ransomware victims in March stands at 349. This is still a 31% increase over February 2023, a 23% increase YoY, and would remain one of the highest months on record. With or without CL0P’s campaign, ransomware victim metrics this year are far above the typical threshold for February and March. 

Industry Victim Trends

Industry-Prior Month Difference (4)

Telecommunications saw an 800% increase.
  • Half of these organizations are based in the United States, the others are located in the U.K., France, Lebanon, and Cameroon.

Hospitals & Healthcare experienced a 750% increase in attacks.
  • It should be noted that some of this increase was due to CL0P’s GoAnywhere campaign (35% of the total), however, even after removing CL0P’s victims from the analysis, there would still have been a 450% increase from February. Many of the organizations impacted were healthcare tech companies.

Government saw a 220% increase over February.
  • This mostly includes local municipalities such as cities. These targets were attacked by no less than 10 different ransomware groups including BianLian, Lockbit, Play, and Stormous.

Corvus Threat Intel Team Notes

The relative reprieve from ransomware in 2022 wasn’t going to last forever. We’re just a few months into 2023 and ransomware is making a resurgence. Threat actors carrying out these attacks have demonstrated their penchant for exploiting software vulnerabilities against a large number of targets. As some of the more “tried and true” attack vectors have waned in potency, attackers have switched to new vectors such as using malicious LNK or OneNote email attachments instead of Microsoft Office documents. We expect this trend to persist. 

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Corvus analysis was made possible with supporting data from eCrime.ch. 

Recent Articles

Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed


Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.

Q2 Cyber Threat Report: Ransomware Season Arrives Early


In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.

Global IT Meltdown: CrowdStrike Software Update Causes Broad Outages


On July 19, 2024, the world woke up to a massive IT outage caused by cybersecurity firm CrowdStrike that affected numerous industries across the globe.