Q2 Ransomware Report: Global Attacks At All-Time High

Key Takeaways:

• Global ransomware frequency continues an upward trend from late 2022. Corvus observed a 29% QoQ increase in Q2 and a 72% increase YoY on leak sites.
• The limited use of mass exploits has a noticeable impact on overall ransomware. In Q2, the CL0P ransomware group’s use of a zero-day vulnerability in MOVEit file transfer software accounted for 9% of all ransomware victims.
• Without CL0P activity, there’s still a 35% increase in ransomware QoQ and 60% increase YoY.
• Following seasonal ransomware patterns, attack velocity may slow from current levels in Q3 but will likely pick up again in Q4.

Introduction

Based on dark web tracking, Corvus has previously reported on the notable resurgence of global ransomware attacks in Q1 2023. Q2 saw a further increase with 1,149 victims observed on ransomware leak sites. This is a 29% increase over Q1 and a steep 72% increase YoY. This report will discuss current trends and contributing factors to the increase in ransomware activity in 2023.

Factors Contributing to the Global Ransomware Surge

Now halfway through 2023, it’s clear to see that the ransomware resurgence is here to stay. Corvus observed two key factors that have contributed to the elevated numbers through Q1 and into Q2.

CL0P Mass Exploits

CL0P made headlines in Q1 and again in Q2 with the mass exploitation of a single vulnerability. Usually fairly quiet, CL0P sprung to life in Q1 by exploiting GoAnywhere file transfer software impacting over 130 victims. In Q2, they followed up with the mass exploitation of a zero day vulnerability in MOVEit file transfer software with a growing number of victims currently at 259 at the time of this report. These vulnerabilities accounted for 12% of total ransomware victims in Q1 (GoAnywhere) and 9% of Q2’s total (MOVEit). This added to the topline of an already steadily increasing victim count. Even without CL0P’s spikes in attack activity, ransomware numbers are still climbing. Removing CL0P from the analysis, ransomware is still up 35% since Q1 and 50% since Q4 2022.

Departing from its usual modus operandi of stealing data and encrypting files, the group chose only to steal files in these attacks. This made the attacks more nimble, stealthy, and scalable. In addition, by proactively exploiting vulnerabilities rather than waiting for exploits to be publicly released, CL0P gained a quick monopoly on the victim pool.

More Ransomware Gangs 

Another possible explanation for the increase is that there are simply more active ransomware groups. In Q1 2022, Corvus observed 35 groups operating leak sites. This grew 25% through Q2 2023, when Corvus observed 44 active ransomware leak sites. As well-known ransomware groups fractured, their proprietary encryptors leaked on the dark web. This allowed a number of new actors to freely deploy the malware, using it to start their own ransomware operations. Similarly, operators from defunct groups have been observed moving to others or starting their own.

Severity 

It isn’t just more ransomware groups and more victims, ransomware severity is also increasing. According to payment solution provider, Digital Asset Redemption, ransom demands and payments are up in Q2 2023. Much as ransom victims overall, the numbers here may be pulled upwards by CL0P demanding higher ransoms for its MOVEit data theft and extortion attacks.

Average Ransom Demands

• Q2 2023: $2.51 million ↗
• Q1 2023: $1.93 million ↗
• Q4 2022: $863K

Average Ransom Payment Amounts

• Q2 2023: $608,418 ↗
• Q1 2023: $580,314 ↗
• Q4 2022: $427,012

More ransomware groups extorting more victims and demanding higher ransoms is a perfect storm for both increased frequency and severity of ransomware worldwide. 

Industry Trends

A number of sectors have seen notable and sustained increases in the number of ransomware victims over the past six months, with further spikes in Q2. The reason for these increases can be due to a number of factors, two of which are worth mentioning here: 

1. The industry may be seeing intentional targeting by a particular threat actor 
2. The industry may happen to use a particular technology that comes under active exploitation.

Industry vs. Technology 

Industry

Intentional targeting can be observed when a ransomware group has a disproportionate number of victims within a specific vertical over a long period of time. AlphVM is an example of deliberate targeting with the group making up 10.44% of all victims in the legal industry from 2021 - 2022.

Vice Society and PYSA are also known to attack higher education with the groups claiming 16.30% and 15.22% of higher education respectively (prior to 2023).

But industry movement in Q2 was predominantly due to opportunistic attacks where threat actors exploit a technology used more in some industries versus others.

Technology

Sudden industry-specific spikes often indicate the exploitation of a particular technology commonly used by certain industries. Many of the industry increases this quarter were due to the popularity of GoAnywhere and MOVEit within certain sectors, which explains why Financial Services and Insurance were most heavily impacted. 

What's Next

The future is hard to predict but here are two significant developments to keep an eye on:

Frequency 

YoY numbers will likely remain high. Based on the current trajectory, 2023 will likely be a record-breaking year, surpassing both 2021 and 2022 numbers. In the past, the monthly number of ransomware leak site victims only exceeded 300 per month on three occasions in 2021. So far in 2023, monthly ransomware victims posted on leak sites exceeded 300 for the last five (soon to be six) months in a row. We expect that despite monthly variation, ransomware numbers in 2023 will continue to see inflated numbers over prior years with consistent YoY inflation. While we may see some ransomware activity decrease in the late Summer based on past patterns, more increase is probable in Q3 - Q4 2023.

More exploitation of file transfer solutions

Expect threat actors to continue exploiting file transfer and storage solutions. The campaign against GoAnywhere (Q1 2023) and MOVEit (Q2 2023) marks the third incident in which CL0P has utilized mass exploits against file transfer solutions, their first being in Q1 2021 with Accellion file transfer appliances. This is proving to be a profitable approach for an otherwise understated group and may set the trend for other groups looking for ways to gain new victims.

Conclusion

As Q2 2023 draws to a close, the alarming surge in ransomware attacks serves as a stark reminder of the ongoing battle against cybercrime. Threat actors are taking a proactive approach in exploiting new vulnerabilities and a number of new groups may be signaling even further increases later in the year. As ransomware gangs are getting even further ahead of the vulnerability curve, vulnerability management is even more crucial for businesses going into H2 2023.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Corvus analysis was made possible with supporting data from Digital Asset Redemption and eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.