Some 1,378 organisations have been named as victims on ransomware data-leak websites in the second quarter of 2023 (Q2 2023), according to ReliaQuest.
This was a 64.4% increase from the record-breaking number of victims named in Q1 2023, 838 organisations.
This surge was linked to many new ransomware groups emerging and naming many victims, as well as a large-scale Clop ransomware supply-chain attack campaign. In addition, LockBit remained highly active, naming 246 victims.
Clop ranked fifth in terms of victim numbers but had the greatest impact with its breach of multiple billion-dollar organisations by exploiting the MOVEit vulnerability.
May 2023 set a new record for the number of ransomware victims posted to data-leak sites, totaling 600 victims. This figure represented a 46.7% increase compared to the previous record observed in March 2023, where there were 409 victims.
Q2 2023 Ransomware Report: Victim Count Hits New Heights
The second quarter of 2023 was prolific for ransomware groups, with several notable newcomers and records shattered. Following the previous quarters record-breaking numbers, Q2 2023 saw another large surge in organisations named on double-extortion ransomware data-leak websites. We also observed one of the most serious ransomware campaigns ever recorded.
ReliaQuest’s Threat Research Team monitors the activity of ransomware groups and their data-leak sites. Its quarterly ransomware report gives the big picture of that activity in Q2 2023.
Clop and the MOVEit Compromise
The most impactful ransomware-related event was the “Clop” ransomware gang’s exploitation of a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer Software. Clop claimed to have stolen the data of hundreds of companies and began naming victims on June 14, 202389 MOVEit victims were publicised in June alone. Since then, that number has crept close to 260, making this one of the largest extortion campaigns by a ransomware group ReliaQuest has observed.
Clearly, Clops unique approach to targeting enterprise file-transfer software/platforms has been effective. The group began exploiting vulnerabilities in such products in December 2020, breaching more than 100 companies through a zero-day vulnerability in Accellion file-transfer software. In February 2023, the group took responsibility for another such campaign, targeting GoAnywhere software and compromising over 130 organisations.
The MOVEit campaign was undoubtedly Clops largest and most impactful, compromising multiple large companies. The move towards single-extortion attacks, avoiding data encryption and focusing solely on data theft, is a unique ransomware-group trend that may become common among other groups. For more information on Clop and the MOVEit campaign, check out our blog covering the campaign.
Malas and the Zimbra Compromise
In March 2023, users began noticing that their Zimbra servers had become encrypted and the new Malas ransomware gang had left ransom notes in encrypted folders. The notes detailed an unusual demand: make a donation to a nonprofit organisation that the attackers approved of. A donation would mean access to a decrypting tool and a promise not to leak the data, demands more closely aligned with hacktivism than traditional ransomware extortion. Malass campaign is just one example of how the lines dividing cybercriminals, nation-state threat actors, and hacktivists are becoming more difficult to distinguish.
In mid-May 2023, Malas launched a dark-web data-leak site and immediately named 169 affected companies, securing the second-highest number in Q2 2023. The group only exposed the configuration files of victims Zimbra servers, which likely resulted in a low impact. By comparison, Clop placed fifth in terms of numbers but made the greatest impact with MOVEit.
Record Number of Victims
In the second quarter of 2023, close to 1,400 organisations were named on ransomware and data-extortion websites. This marked a substantial increase (66%) from Q1 2023, which saw close to 850 affected organisations. What makes this increase even more impressive is that Q1 2023 had set the record for the most victims we ever recorded, but Q2 2023 shattered that record with 500 more. The number of organisations being named on ransomware websites has more than doubled over the past two quarters, highlighting a sudden growth in ransomware operations.
As expected, other records were broken in the past quarter. May 2023 is now the month with the highest number of ransomware victims we have ever recorded. Close to 600 organisations were named to ransomware data-leak sites in May: a 46.7% increase from the previous record in March 2023. The high count in May was driven by the ransomware groups Malas and 8Base naming a lot of affected organisations shortly after launching their data-leak sites.
Extortion Attacks Scarce
With regard to extortion-only gangs, few organisations were named on data-leak sites. Even so, there was a noticeable rise compared to Q1 2023, but it was likely caused by natural deviations in quarterly numbers. The Karakurt Hacking Team was the most active extortion-only group, making up close to 95% of victims.
“We cant end the discussion of extortion-only attacks without noting that Clop hasn’t deployed ransomware in any of its file-transfer software attacks (Accellion, GoAnywhere, or MOVEit),” says ReliaQuest.
“Instead, Clop simply stole data and threatened to publicly release it if victims didnt make ransom payments. By skipping encryption, Clop could conduct attacks much faster and more efficiently, targeting hundreds of companies at once.
“In extortion-only attacks, ransomware groups don’t always leave ransom notes, so attacks can be harder to detect. Instead, threat actors typically reach out to affected organisations via email or other communication, making them aware of the breach and ransom demands.
“Clop has taken an even less traditional approach in its latest MOVEit campaign: requesting that victims contact Clop if they have been compromised. This puts the burden on the companies to figure out if they had been breached.”
Who Was Targeted?
The US remained the country most targeted by ransomware groups, by a wide margin. Nearly half of all companies named on data-leak sites in Q2 2023 operated in the US. Following the US were the UK, Germany, Canada, and France, the same five countries targeted most in Q1 2023, but with slight shifts, such as Germany rising to third place from fifth. The appeal of those five countries likely lies in their numerous wealthy organisations: typical targets for ransomware groups.
The sectors most targeted changed slightly in Q2 2023. The professional, scientific, and technical services sector was the most popular, comprising 20.2% of all the affected organisations. The manufacturing sector closely followed, with 19.6%. The remaining sectors in the top five were finance and insurance, healthcare and social assistance, and construction. Healthcare remained a popular target despite many ransomware groups claiming to avoid targeting that sector; this trend has persisted since Q1 2023.