It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to know.
Attacks slowed by 18.41% from the prior month but remained vastly inflated YoY (139.26% increase). August is the seventh month in a row with a YoY increase in ransomware victims and the sixth month in a row with victim counts above 300.
A summer slowdown in ransomware is to be expected, however, this year the slowdown was later and not as pronounced as prior years. While August’s total number of victims was lower than July, July’s high numbers are inflated mostly due to the CL0P ransomware group, which posted over 170 victims in July. This accounted for 35.56% of the industry-wide total of all monthly ransomware victims in July.
While July saw a higher number of victims (due to an outsized contribution from CL0P’s mass exploit), August's total is more evenly distributed among established ransomware groups: LockBit, AlphVM, and BlackBasta are returning from their Summer hiatus.
In August, the LockBit ransomware group more than doubled its July activity.
In the graph below, it’s evident that LockBit in particular but also AlphVM, Akira, and BlackBasta stepped back to some degree in July but increased their victim postings in August. CL0P is the opposite. With a high number of victim postings in July but very few in August.
|
Group |
Date Discovered |
Victim Count |
Ransomed |
Aug 25, 2023 | 27 |
Cloak |
Aug 24, 2023 | 26 |
INC Ransom |
Aug 16, 2023 | 5 |
Metaencryptor |
Aug 14, 2023 | 12 |
Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.