Ryan Bell, Threat Intel Manager, Corvus Insurance
There is still more than one month left in the books for 2023, and it’s safe to say that once we flip the calendar to January, we will have also closed the books on the biggest explosion of ransomware attacks on record for a single year.
This declaration is based on our Quarterly Ransomware Reports, which are tracking data collected from ransomware leak sites dating back to 2021. For anyone not familiar with these sites, they are on the dark web and are maintained by ransomware groups that list uncooperative victims and post stolen data.
Our team regularly crawls these dark web leak sites, monitoring for insureds and partners. We also take the aggregated data from these efforts and combine it with insights from partners and others in the industry to gain a comprehensive picture of the ransomware landscape. This is how we’ve been able to track this spike in activity, which started at the beginning of the year.
Here’s a quick recap of the activity we have seen this year to date.
The Year in Ransomware
In our initial ransomware reports from earlier this year, we saw the numbers skyrocket. Specific details include:
- February was up 60 percent over January.
- March was up 70 percent over February.
From that point forward, this trend continued. In our Q2 report, ransomware attacks grew by nearly 30 percent over Q1 and then again in Q3, with incidents increasing quarter-over-quarter by 11.2 percent. If we look at Q3 2022, the increase is even more startling— ransomware attacks are up more than 95 percent over 2022.
Now, with just a month and a half left in the year, 2023 ransomware victim numbers have already surpassed what was observed for the entirety of either 2021 or 2022. If we look at how Q3 ended and how the year’s final quarter began, it’s very likely that we will eclipse 4,000 ransomware victims posted on leak sites for the first time ever.
What’s scary is that these figures could be much higher. That’s because a significant percentage of victims—best estimates being between 27% and 41%—quickly pay threat actors’ demands and thus are never observed on a leak site. If you add these numbers, the total number of ransomware victims could be as high as 5,500 – 7,000 total businesses in 2023.
Behind the Numbers
Our team has identified two key factors impacting this year’s activity. The first is CL0P. CL0P first appeared in 2020, but before this year, it only accounted for a small number of total ransomware victims. Then, in Q1, CL0P sprung to life by exploiting GoAnywhere file transfer software, which impacted more than 130 victims. CL0P struck again in Q2 with the mass exploitation of a zero-day vulnerability in MOVEit file transfer software. This time, there were a total of 264 victims, a number which continues to grow to this day.
Even without CL0P, which accounted for 9 percent and 13 percent of Q2 and Q3 activity, it’s worth pointing out that the ransomware activity still would be up 5 percent quarter over quarter and 70 percent year over year in Q3.
Another driver behind these figures was summer vacation. Yes, you heard me correctly. Like you and me, cybercriminals like to take summer breaks to unplug and spend some of what they’ve extorted from their victims. But this past summer, the pattern diverted from its usual course. Normally, the decline begins in May and remains low until early August. At that point, activity picks back up, where it remains high for the year. But this year was different, with the dip occurring one month later in June and then spiking until the end of July and the first half of August.
Ransomware’s Top Industry Targets
One last area worth delving into is the industries that experienced the most significant spike in ransomware attacks. The two big winners, or in this case, losers, were law practices and the government, followed by manufacturing, medical practices, and oil and gas.
With law practices, the numbers were driven by the ALPHV ransomware group, which accounted for 23.5 percent of all victims in this sector. Law firms were the top exploited industry by this pernicious ransomware group in the U.S., Canada, and the U.K.
As for the government, ransomware attacks were up 95 percent due largely to LockBit, which tripled its government victims from Q2 to Q3, and the Stormous ransomware group, which targeted the Cuban government.
Over the upcoming days and weeks, we will be rolling out additional ransomware research and analysis. As I mentioned, I expect we will see a continued rise in ransomware activity that will ensure 2023 secures the dubious honor of having had the most ransomware victims posted on leak sites we’ve ever seen. Keep your eyes open for updates.