July 2023 saw record levels of ransomware attacks carried out, with 502 observed by NCC Group’s Global Threat Intelligence team throughout the month. The findings mark a 154% increase year-on-year (198 attacks in July 2022), and a 16% rise on the previous month (434 attacks in June 2023).
Cl0p continues to dominate following MOVEit exploitation
This report comes as the fall-out continues from Cl0p’s exploitation of the MOVEit vulnerability, a file transfer software, in June this year. The Russian-speaking group remained the most active threat group in July, responsible for 171 of 502 (34%) of ransomware attacks. So far, it is believed that nearly 500 organisations and millions of individuals have been affected by the attack.
It has been noted by some in the industry that the attack and its wide-scale impact marks a shift in the ransomware model. Cl0ps focus was on extorting data from MOVEits environment, using this to extort implicated organisations.
Lockbit 3.0 ranked as the second most active threat actor in July, responsible for 50 (10%) attacks. It represents a decline of 17%, as compared with 60 attacks in June.
Outside of the top spots, July witnessed activity from a number of new threat actors, following the reinvention and rebranding of existing groups. Specifically exploiting VPN vulnerabilities, Noescape, believed to be a rebrand of Avaddon, has moved into the top ten most active groups, accounting for 16 (3%) of the total monthly attacks in July, the threat intelligence team finds.
Industrials suffers highest number of attacks so far in 2023
Industrials continued to be the most targeted sector for ransomware attacks in July with 155 (31%) of 502 attacks. It represents an 8% increase in volume and the highest number of attacks within the sector in 2023.
Given that a number of organisations operating within industrials hold critical information or intellectual property (IP), it remains an attractive target for threat groups, the team finds.
Consumer cyclicals ranked in second place with 79 cases, accounting for 16% of the overall monthly attacks. Technology was the third most targeted sector in July with 72 attacks, or 14% of the monthly total.
Spotlight: Rising threats in the financials sector
In July, professional and commercial services were the most targeted within the industrial sector. In the last month the top three threat actors, Cl0p, LockBit 3.0, and 8Base were responsible for 48% (74 cases total) of attacks against industrials.
The financials sector has continued to be a top target for threat actors, particularly from state sponsored groups such as North Koreas Lazarus and organised crime groups like FIN7.
The sector is facing increasingly sophisticated and mature attacks as a result of it being such an attractive target. It is vital that organisations within the sector remain vigilant against attacks to stay one step ahead of the numerous threat groups that are seeking to exploit the space, the team states.
Matt Hull, Global Head of Threat Intelligence at NCC Group, says, “Record levels of ransomware attacks in July, topping the previous spike in June, demonstrate the continued evolving and pervasive nature of the threat landscape globally.”
“We are still seeing many organisations are still contending with the impact of Cl0ps MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be no organisation or individual is safe.”
This campaign is particularly significant given that Cl0p has been able to extort hundreds of organisations by compromising one environment, according to the threat intelligence. Not only do business leaders need to be vigilant in protecting environments, but must also pay close attention to the security protocols of the organisations worked with as part of the supply chain, the team states.
Hull concludes, “Alongside established players, like Cl0p and Lockbit 3.0, we’re also seeing the growing influence of new groups. They are introducing new tactics, techniques and procedures, underscoring how important it is for organisations to remain up-to-speed with changes in the threat landscape.”