<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Record Ransomware Attacks: 6 Month Upward Trend Continues in July

The only thing hotter than the temperatures outside this summer? Ransomware. Here’s what you need to know.

Executive Summary 

  • Corvus observed 478 new ransomware victims posted to leak sites in July 2023 
    • A 4.8% increase from the prior month.
    • This also represents an 81% increase YoY
    • This is the sixth month in a row with a YoY increase in industry wide ransomware victims and the fifth month in a row with victim counts above 300.
    • Without the CL0P attacks, July numbers would have shown decreased activity by 17% MoM but an 18% increase YoY. The ongoing CL0P MOVEit extortion campaign accounted for 35% of July’s victims, with 170 victims appearing on CL0P’s leak site.

Analysis Detail 

Attack Frequency Trends

July is the sixth month in a row with a YoY increase in ransomware victims and the fifth month in a row with victim counts above 300.

For the third time this year, we’ve seen a record-breaking number of listed companies on leak sites — with 478 new victims in July alone. Attack frequency remained high, with a 4.8% increase from last month, and 81% increase from this time last year. 

Activity seemed to spike in March 2023 when prior records were broken, but this was followed by new all-time highs in June. While April and May showed decreased MoM numbers, YoY has stayed inflated well above 2022 levels. With July’s new high of 478, we are well above the typical decreased activity observed in summer.

Total Posted Victims Difference-1

Ransomware Victims by Month(June)-1

July’s high numbers are mostly due to the CL0P ransomware group, which exploited a software vulnerability in MOVEit Managed File Transfer software in June and continues to add victims to their leak site. The group posted over 170 victims in July, which accounted for 35.56% of the industry-wide total of all monthly ransomware victims. 

CL0P Leak Site Victims-2

Without CL0P, July’s ransomware count would have stood at 308 victims on leak sites. This would have represented a 17% decline from June (excluding CL0P from June’s total as well) which would more closely match the pattern of decreased ransomware activity seen in the Summer months. However, numbers are still high YoY being 18% above July 2022 and 62% higher than July 2021. 

New Ransomware Groups

 Date Discovered
 Victim Count
Cactus July 18, 2023 18
Cyclops July 14, 2023 3


Corvus Threat Intel Team Notes

Corvus is closely monitoring three trends:

  1. Mass exploit attacks continue to have a major impact on industry-wide ransomware activity. A single software vulnerability is now the root cause of at least 260 organizations suffering data theft and extortion attacks in 2023.
  2. Industry-wide ransomware activity in 2023 continues to outpace 2022 levels.
  3. Based on prior years activity, we expect industry-wide ransomware numbers may see a slight decline in August before climbing again in September.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Recent Articles

Change Healthcare Hack: Everything You Need To Know

Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?

Women in Cyber: Advice from the Field

In honor of Women’s History Month, we connected with women making significant contributions to cyber for career advice, lessons from the field, and more.

Law Enforcement Can Help in a Cyber Crisis — But Prevention is Even Better

Law enforcement is thwarting threat actors on the dark web, but how can organizations lay a strong security foundation (with or without the FBI's help?).