<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

While Leaves Fall, Ransomware Rises: Attacks Are Up 5.1% in September

Threat actors are starting Fall off by increasing ransomware numbers. Here’s what you need to know.

Executive Summary

Corvus observed 410 new ransomware victims posted to leak sites in September 2023.

  • A 5.12% increase from the prior month.

  • This also represents a 79.82% increase YoY.

  • This is the ninth month in a row with a YoY increase in industry wide ransomware victims and the seventh month in a row with victim counts above 300.

Analysis Detail 

Attack Frequency Trends

Attacks picked up by 5.12% from August and remained high YoY (79.82% increase). September is the eighth month in a row with a YoY increase in ransomware victims, the sixth month in a row with victim counts above 300, and the fourth month this year with victim counts above 400.

We discovered a leak site in September belonging to a new ransomware group: LostTrustTeam. While the website featured 52 victims, we did not include these in September’s total numbers as we are uncertain when the attacks occurred. However, with their inclusion, September’s total would stand even higher at 462 victims.

Corvus Threat Intel - September 2023 Ransomware - graph 1

This year’s Summer slowdown was shorter and came later than expected. If you blinked, you probably missed it. After two record-breaking months in June and July, ransomware decreased slightly in the first half of August. September shows a notable return to activity for ransomware gangs which, following seasonal patterns will likely continue to increase in Q4.

Corvus Threat Intel - September 2023 Ransomware - graph 2

As we have reported for the past several months, the CL0P ransomware group utilized exploits to amass large numbers of victims, further inflating ransomware numbers for several months out of the year. Their campaign against MOVEit file transfer and storage software appears to have ended with no activity in September. The graph below shows ransomware metrics with CL0P removed from the analysis. While mass exploits add considerably to the total number of ransomware victims, there is a clear trend of steady increases even without CL0P’s outsized contribution. Viewed in this new light, September would actually be the most active month of 2023 without victims from mass exploits. The Q4 increase is also more stark.

Corvus Threat Intel - September 2023 Ransomware - graph 3

New Ransomware Groups

Newly discovered leak sites this month include LostTrustTeam, ThreeAM, and CiphBit.

Date Discovered
Victim Count
LostTrustTeam 9/26/2023 52
ThreeAM 9/14/2023 10
CiphBit 9/12/2023 8

Corvus Threat Intel Team Notes

Corvus is closely monitoring three trends:

  1. Seasonal variation in ransomware shows a Q4 increase.
  2. The Summer decrease in 2023 was later and much less pronounced than usual, given CL0P’s use of a zero-day exploit against MOVEit.
  3. Attack frequency remains high YoY.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Recent Articles

The Crucial First 48 Hours: Navigating Business Continuity and Disaster Recovery

The actions you take in the first 48 hours of a business disruption set the stage for recovery. Our guide to BCDR can help get you started.

Keep It Real: Avoid Falling for the Rise of Deepfake Phishing Scams

What if you suspected a phishing email, but your CFO confirmed it was legitimate? We'll explore the recent deepfake phishing attack and how to prevent it.

Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year

In this report, we will highlight some more of our findings from Q4 2023 and also look at trends across 2023.