In its Q3 2023 Global Ransomware report, Corvus Insurance noted that ransomware attack frequency is up 11 percent over Q2 2023 and 95 percent year-over-year.
In its report, Corvus noted a significant resurgence in global ransomware attacks, which has continued through the third quarter. Now, with two months remaining in the year, the number of ransomware victims in 2023 has already surpassed what was observed in 2021 and 2022. If the trajectory continues, 2023 will be the first year with more than 4,000 ransomware victims posted on leak sites (2,670 in 2022).
Two key factors drove the elevated Q3 ransomware numbers, according to the report.
The CL0P ransomware group has played a major role in the spike in ransomware activity. CL0P sprung to life in Q1 by exploiting GoAnywhere file transfer software, which impacted more than 130 victims. In Q2, CL0P struck again with the solo use of a mass zero-day exploit by a ransomware group targeting a vulnerability in the MOVEit file transfer software, which impacted 264 victims at the time of this report. The single MOVEit vulnerability accounted for 9 percent of victims listed in Q2 and 13 percent of victims listed in Q3. Even without these CL0P spikes in attack activity, ransomware numbers would still be up 5 percent over Q2 and 70 percent year-over-year in Q3.
Ransomware typically follows seasonal patterns, with incidents decreasing in early May and remaining low through early August. Driven largely by CL0P, this year’s dip in attacks occurred later in June and, rather than continuing to fall, spiked and remained high through the first half of August.
“It’s clear that ransomware attacks are on a record-setting pace for 2023, and based on activity at the end of Q3 and early Q4, we fully expect these numbers to surpass anything we have witnessed in previous years,” said Jason Rebholz, CISO, Corvus Insurance. “Aside from these overall numbers, this report demonstrates the impact that a single ransomware group like CL0P can have when they invest in new tactics, which is what we saw with the mass zero-day exploit that wreaked havoc over the second and third quarters.”
The Q3 report also examined which industries experienced the largest spikes in ransomware activity. These include:
- Law practices – An uptick due in part to the ALPHV ransomware group, which accounted for nearly a quarter of all victims in this industry (+70 percent).
- Government agencies – The impetus behind these attacks was LockBit, which tripled its government victims from Q2 to Q3 (mostly cities and municipalities) (+95 percent)
- Additional industries that experienced spikes include manufacturing (+60 percent), oil and gas (+142 percent), and transportation, logistics and storage (+50 percent).
“Ransomware actors can quickly pivot their focus, and no industry is immune. There’s no better time to ensure the right security controls are in place to mitigate the threat,” Rebholz said.