<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

While Leaves Fall, Ransomware Rises: Attacks Are Up 5.1% in September

Threat actors are starting Fall off by increasing ransomware numbers. Here’s what you need to know.

Executive Summary

Corvus observed 410 new ransomware victims posted to leak sites in September 2023.

  • A 5.12% increase from the prior month.

  • This also represents a 79.82% increase YoY.

  • This is the ninth month in a row with a YoY increase in industry wide ransomware victims and the seventh month in a row with victim counts above 300.

Ransomware Analysis Detail 

Ransomware Attack Frequency Trends

Attacks picked up by 5.12% from August and remained high YoY (79.82% increase). September is the eighth month in a row with a YoY increase in ransomware victims, the sixth month in a row with victim counts above 300, and the fourth month this year with victim counts above 400.

We discovered a leak site in September belonging to a new ransomware group: LostTrustTeam. While the website featured 52 victims, we did not include these in September’s total numbers as we are uncertain when the attacks occurred. However, with their inclusion, September’s total would stand even higher at 462 victims.

[CHART] Ransomware Attack Frequency Month-over-Month Difference & Year-over-Year Difference Jan. - Sep. 2023

This year’s Summer slowdown was shorter and came later than expected. If you blinked, you probably missed it. After two record-breaking months in June and July, ransomware decreased slightly in the first half of August. September shows a notable return to activity for ransomware gangs which, following seasonal patterns will likely continue to increase in Q4.

[LINE GRAPH] Ransomware Victims by Month Jan. 2021 - Dec. 2023

As we have reported for the past several months, the CL0P ransomware group utilized exploits to amass large numbers of victims, further inflating ransomware numbers for several months out of the year. Their campaign against MOVEit file transfer and storage software appears to have ended with no activity in September. The graph below shows ransomware metrics with CL0P removed from the analysis. While mass exploits add considerably to the total number of ransomware victims, there is a clear trend of steady increases even without CL0P’s outsized contribution. Viewed in this new light, September would actually be the most active month of 2023 without victims from mass exploits. The Q4 increase is also more stark.

[LINE GRAPH] Ransomware Victims by Month - Without CL0P Jan. 2021 - Dec. 2023

New Ransomware Groups

Newly discovered leak sites this month include LostTrustTeam, ThreeAM, and CiphBit.


Date Discovered

Victim Count


9/26/2023 52


9/14/2023 10


9/12/2023 8

Corvus Threat Intel Team Notes

Corvus is closely monitoring three trends:

  1. Seasonal variation in ransomware shows a Q4 increase.
  2. The Summer decrease in 2023 was later and much less pronounced than usual, given CL0P’s use of a zero-day exploit against MOVEit.
  3. Attack frequency remains high YoY.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.

Recent Articles

Handling Cyber Objections: 'Cyber Insurance Is Too Expensive'

Clients may be quick to object to the cost of cyber insurance, but we'll unpack the real 'bang for your buck' argument to cyber coverage.

Cyber and Construction: Laying Groundwork to Combat Digital Threats

The construction sector is facing urgent cybersecurity challenges. Learn more about unique risks and how creative underwriting solutions can help.

Cyber Insurance for Small Businesses: BOP vs. Standalone Cyber

Is a BOP with a cyber extension enough to protect SMBs? Walk your clients through which coverages to look for to stay financially protected.