Q3 Ransomware Report: Global Ransomware Attacks Up Over 95% in 2022

Key Takeaways

• Global ransomware frequency continues to climb. Corvus observed an 11.22% QoQ increase in Q3 and a 95.41% increase YoY on leak sites.

• The limited use of mass exploits has a noticeable impact on overall ransomware. Expect this to continue. 

  • In Q2, the CL0P ransomware group’s use of a zero-day vulnerability in MOVEit file transfer software accounted for 13% of all ransomware victims in Q3.

• Without CL0P activity, Q3 would still be a 5% increase in ransomware QoQ and 70% increase YoY.

• Following seasonal ransomware patterns, expect attack velocity to climb in Q4.

  • While we usually see ransomware decline in the Summer months, this year’s decrease was later and shorter than normal.

• Attacks are increasing against law firms and municipalities.

Introduction

2023 has been a record-breaking year for ransomware, as Corvus has detailed in our previously published Q2 report. Q3 saw a further increase with 1,278 victims observed on ransomware leak sites. 

This is an 11.22% increase over Q2 and a steep 95.41% increase YoY.

So far, 2023 ransomware victim numbers have already surpassed what was observed for the entirety of either 2021 or 2022. If things continue on the current trajectory, this could be the first year with over 4,000 ransomware victims posted on leak sites.

Keep in mind this is only a partial picture; victims posted on leak sites typically don’t pay or delay paying a ransom. But a significant percentage of victims, with best estimates being between 27% - 41%, quickly pay threat actors’ demands and thus are never observed on a leak site. 

That means that the total number of ransomware victims might range somewhere between ~5,500 - 7,000 total businesses in 2023.

Factors Contributing to the Global Ransomware Surge 

As we approach the end of the year, ransomware continues to climb. Corvus observed two key factors that have contributed to elevated numbers during Q3: the CL0P ransomware group and an unusually brief “summer break” from ransomware. 

CL0P Mass Exploits Peaked

Usually fairly quiet, CL0P sprung to life in Q1 by exploiting GoAnywhere file transfer software, impacting over 130 victims. In Q2, they followed up with the mass exploitation of a zero day vulnerability in MOVEit file transfer software totaling 264 victims at the time of this report. The single MOVEit vulnerability accounted for 9% of Q2’s total and 13% of victims in Q3, which contributed significantly to a steadily increasing victim count. 

But even without CL0P, ransomware numbers would be up 5% QoQ and 70% YoY in Q3. 

The graph below highlights the impact of a single group, especially one that was once relatively quiet. 

Prior to 2023, CL0P made up only a sliver of total ransomware victims. Now, they comprise a considerable share of the total. One ransomware group can shatter records with a single opportunity of mass exploitation. 

Notice the trajectory of the grey bars — representing the active ransomware groups besides CL0P — which increase steadily throughout 2023. Even independent of CL0P’s outsized contribution, ransomware activity is rising.

So far this year, each quarter is higher than the last. And based on seasonal patterns, Q4 will likely be even worse than Q3.

An Unusually Long Summer Break

For the past several years, ransomware largely follows seasonal patterns. Cybercrime is perpetrated by human attackers, who need to blow off some steam and spend that stolen cash, sometimes on lavish vacations. 

Typically a decrease in ransomware takes place during the Summer months. In 2023, that decrease came later and was much shorter than we typically observe. As shown on the graph below, a downward trend in activity usually starts in May and lasts until early August before climbing again for the duration of Q3 and into Q4. 

This year, there was a decrease in June as expected. But then ransomware spiked until the end of July and the first half of August.

If you blinked, you might have missed any respite in activity. While CL0P’s mass exploit led to an increase in absolute numbers, the rest of the incumbent groups you’re familiar with took a small step back during the Summer. 

LockBit and ALPHV (BlackCat) each slashed their posted leak site victims by about 50% from April to July 2023. Late Q3 and early Q4 numbers show ransomware groups getting back on track to cause more havoc in Q4.

Industry Trends

In Q3, several industries experienced a significant increase in ransomware attacks. This includes: law firms, government agencies, manufacturing, medical practices, and oil and gas.

• Law Practices: +70%

  • Much of this is due to the ALPHV ransomware group. This group accounted for nearly a quarter of all victims in this industry (23.53%). ALPHV’s appetite for law firms is seen across multiple countries being their top exploited industry in the U.S., Canada, and the U.K., and is among the top in Australia.

• Government: +95%

  • LockBit tripled their government victims from Q2 - Q3 (mostly cities or municipalities). The Stormous ransomware group also attacked the government of Cuba which contributed to this total.

• Oil and gas: +142%

• Manufacturing: +60%

Conclusion

Ransomware continues its upward climb — and Q3 shattered precedent for the highest quarter on record. The impact of a single group and even a single zero-day vulnerability is evident as CL0P separated itself from the pack by extorting a large number of businesses in a short period of time. 

Because of this mass exploit, the typical decrease in Summer ransomware came later and didn’t last as long. But even setting aside CL0P, it’s business as usual for the rest of the ransomware ecosystem. And business is good.

If history is any guide, we’ll likely see this upward momentum continue in Q4.

Methodology 

The data for this report is collected from ransomware leak sites. These are websites on the dark web maintained by ransomware groups where they will list uncooperative victims and post stolen data. Relying on regular crawls of these dark web leak sites, Corvus is able to continually monitor for insureds and partners but also uses the aggregated data for these analyses.

As with most other datasets in existence, this is an incomplete picture of all ransomware attacks. Victims who quickly comply with threat actors’ demands and quietly pay a ransom have a much lower likelihood of appearing on a leak site and therefore would not be measured in our assessments of ransomware velocity. There will always be a percentage of attacks that are unknown.

However, leveraging our data combined with insights from partners, and others in the industry, we can paint a comprehensive picture of the ransomware landscape and draw valid insights.

Corvus analysis was made possible with supporting data from eCrime.ch. This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.