<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

August Ransomware Recap: Sixth Month in a Row with YoY Increase

It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to know.

Executive Summary

Corvus observed 390 new ransomware victims posted to leak sites in August 2023.

  • A 18.41% decrease from the prior month.

  • This also represents a 139.26% increase YoY.

  • This is the sixth month in a row with a YoY increase in industry-wide ransomware victims and the fifth month in a row with victim counts above 300.

  • After a decrease in July activity, established groups like LockBit, AlphVM, and BlackBasta saw an increase in victims posted in August.

Ransomware Analysis Detail:


Ransomware Attack Frequency Trends:

Attacks slowed by 18.41% from the prior month but remained vastly inflated YoY (139.26% increase). August is the seventh month in a row with a YoY increase in ransomware victims and the sixth month in a row with victim counts above 300.

[CHART] Total Posted Victims Difference YoY Between Jan. - July 2023 and Jan. - July 2022

A summer slowdown in ransomware is to be expected, however, this year the slowdown was later and not as pronounced as prior years. While August’s total number of victims was lower than July, July’s high numbers are inflated mostly due to the CL0P ransomware group, which posted over 170 victims in July. This accounted for 35.56% of the industry-wide total of all monthly ransomware victims in July. 

[LINE GRAPH] Ransomware Victims by Month Jan. 2021 - Nov. 2023

While July saw a higher number of victims (due to an outsized contribution from CL0P’s mass exploit), August's total is more evenly distributed among established ransomware groups: LockBit, AlphVM, and BlackBasta are returning from their Summer hiatus. 

In August, the LockBit ransomware group more than doubled its July activity.

In the graph below, it’s evident that LockBit in particular but also AlphVM, Akira, and BlackBasta stepped back to some degree in July but increased their victim postings in August. CL0P is the opposite. With a high number of victim postings in July but very few in August. 

[BAR GRAPH] Ransomware Group Leak Sites July - Aug. 2023

New Ransomware Groups


Date Discovered

Victim Count


Aug 25, 2023 27


Aug 24, 2023 26

INC Ransom

Aug 16, 2023 5


Aug 14, 2023 12

Corvus Threat Intel Team Notes

Corvus is closely monitoring three trends:

  1. Seasonal variation in ransomware shows a Summer decrease.
  2. The Summer decrease in 2023 was later and much less pronounced than usual, given CL0P’s use of a zero-day exploit against MOVEit.
  3. Attack frequency remains high YoY.
  4. Typically, we expect attacks to continue to rise through Q3 and Q4.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Recent Articles

Handling Cyber Objections: 'Cyber Insurance Is Too Expensive'

Clients may be quick to object to the cost of cyber insurance, but we'll unpack the real 'bang for your buck' argument to cyber coverage.

Cyber and Construction: Laying Groundwork to Combat Digital Threats

The construction sector is facing urgent cybersecurity challenges. Learn more about unique risks and how creative underwriting solutions can help.

Cyber Insurance for Small Businesses: BOP vs. Standalone Cyber

Is a BOP with a cyber extension enough to protect SMBs? Walk your clients through which coverages to look for to stay financially protected.