Change Healthcare Hack: Everything You Need To Know
Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?
![[LOGO] Corvus Insurance](https://www.corvusinsurance.com/hubfs/Corvus_Logo_Horizontal(R)%20(4).svg "[LOGO] Corvus Insurance"){kind=logo}
The only thing hotter than the temperatures outside this summer? Ransomware. Here’s what you need to know.
Executive Summary
- Corvus observed 478 new ransomware victims posted to leak sites in July 2023
- A 4.8% increase from the prior month.
- This also represents an 81% increase YoY
- This is the sixth month in a row with a YoY increase in industry wide ransomware victims and the fifth month in a row with victim counts above 300.
- Without the CL0P attacks, July numbers would have shown decreased activity by 17% MoM but an 18% increase YoY. The ongoing CL0P MOVEit extortion campaign accounted for 35% of July’s victims, with 170 victims appearing on CL0P’s leak site.
Analysis Detail
Attack Frequency Trends
July is the sixth month in a row with a YoY increase in ransomware victims and the fifth month in a row with victim counts above 300.
For the third time this year, we’ve seen a record-breaking number of listed companies on leak sites — with 478 new victims in July alone. Attack frequency remained high, with a 4.8% increase from last month, and 81% increase from this time last year.
Activity seemed to spike in March 2023 when prior records were broken, but this was followed by new all-time highs in June. While April and May showed decreased MoM numbers, YoY has stayed inflated well above 2022 levels. With July’s new high of 478, we are well above the typical decreased activity observed in summer.
-1.png?width=2213&height=1245&name=Ransomware%20Victims%20by%20Month(June)-1.png)
July’s high numbers are mostly due to the CL0P ransomware group, which exploited a software vulnerability in MOVEit Managed File Transfer software in June and continues to add victims to their leak site. The group posted over 170 victims in July, which accounted for 35.56% of the industry-wide total of all monthly ransomware victims.
Without CL0P, July’s ransomware count would have stood at 308 victims on leak sites. This would have represented a 17% decline from June (excluding CL0P from June’s total as well) which would more closely match the pattern of decreased ransomware activity seen in the Summer months. However, numbers are still high YoY being 18% above July 2022 and 62% higher than July 2021.
New Ransomware Groups
Group |
Date Discovered |
Victim Count |
| Cactus | July 18, 2023 | 18 |
| Cyclops | July 14, 2023 | 3 |
Corvus Threat Intel Team Notes
Corvus is closely monitoring three trends:
- Mass exploit attacks continue to have a major impact on industry-wide ransomware activity. A single software vulnerability is now the root cause of at least 260 organizations suffering data theft and extortion attacks in 2023.
- Industry-wide ransomware activity in 2023 continues to outpace 2022 levels.
- Based on prior years activity, we expect industry-wide ransomware numbers may see a slight decline in August before climbing again in September.
Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.