<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Another Record-Breaking Month for Ransomware: November Up 110% YoY

Yet another record-shattering month for the number of ransomware victims on leak sites. Here’s what you need to know.

Executive Summary 

  • Corvus observed 484 new ransomware victims posted to leak sites in November 2023

    • That represents a 39.08% increase from October and a 110.43% increase year-on-year

  • This is the eleventh month in a row with a YoY increase in industry-wide ransomware victims, and the ninth month in a row with victim counts above 300

  • Threat actors are pivoting to software exploits and new malware to gain access to victims 

Analysis Detail

 

Attack Frequency Details 

In October, we reported that the number of ransomware victims on leak sites decreased by 15.12% compared to the previous month. However, November boomeranged back to a significant increase, both month-over-month and year-over-year.

In fact, November 2023 recorded the highest number of ransomware leak site victims ever reported. This is the third time in 2023 that such a record has been broken, the most recent pre-2023 record being established two years ago, in November 2021. During the previous two record-breaking months, a large portion of victims were a result of a CL0P mass-exploit attack, whereas that was not the case this month.

[CHART] Total Posted Victims January to November 2023

[LINE GRAPH] Ransomware Victims by Month (January 2021 - December 2023)

Such a pronounced October decrease across all groups was unusual, though the figure still remained vastly inflated year-over-year. Part of this could likely be attributed in part to the takedown of the Qakbot malware network. Qakbot, also called QBot is malware commonly deployed to gain initial entry into target networks. QBot was used by a number of prominent ransomware gangs including Black Basta, LockBit, Royal, Conti, and REvil. 

According to Fortra PhishLabs, QBot was the most commonly observed malware family spread via email in Q3 2023. Even though it was taken offline by international law enforcement partway through the quarter, it still stood head and shoulders above competitors, making up 31.25% of the total payload volume for all of Q3. 

For November, let’s drill into the data. The first thing to note is the breakdown by ransomware group. LockBit far and away tops the list with 121 victims followed by PLAY, AlphVM, BlackBasta, and 8Base.

[BAR GRAPH] Claimed Victims by Ransomware Groups Leak Sites

[BAR GRAPH] Ransomware Group Leak Sites (October - November 2023)

LockBit, for its part was operating above average levels in November but not completely out of character. November 2023 was its third most active month on record just shy of February and August of this year, both of which were quite possibly seeing increased activity after some affiliates were returning from a Winter and Summer reprieve, respectively. Part of the explanation for increased LockBit activity could be the existence of a new NetScaler (formerly Citrix) vulnerability called CitrixBleed which has reportedly become a new staple for the group.

[BAR GRAPH] LockBit Leak Site Victims from July 2021 - November 2023

Other groups have begun exploiting a variety of recent vulnerabilities in software such as Qlik Sense (CVE-2023-41265) and ownCloud (CVE-2023-49103). While throughout the ransomware ecosystem, threat actors are switching to other types of infostealer malware such as DarkGate and Pikabot to make up for the loss of QBot. In essence, though perhaps slowed down by the shutdown, ransomware operators are quickly pivoting to other ways of compromising corporate networks.

Corvus Threat Intel Team Notes

In summary, our three primary observations this month:

  1. After a puzzling decrease in October, November shattered another record

  2. Based on historical seasonal data, December will remain inflated year-over-year but likely won’t match November’s numbers

    • Expect a decrease in January as the humans behind ransomware attacks take some time off 

  3. The ransomware ecosystem at large has successfully pivoted away from QBot. Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups

As we pursue our mission to make the world a safer place, Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Corvus analysis was made possible with supporting data from eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.

Recent Articles

The Crucial First 48 Hours: Navigating Business Continuity and Disaster Recovery


The actions you take in the first 48 hours of a business disruption set the stage for recovery. Our guide to BCDR can help get you started.

Keep It Real: Avoid Falling for the Rise of Deepfake Phishing Scams


What if you suspected a phishing email, but your CFO confirmed it was legitimate? We'll explore the recent deepfake phishing attack and how to prevent it.

Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year


In this report, we will highlight some more of our findings from Q4 2023 and also look at trends across 2023.