Ransomware Attacks Remain High: April 2023 Takes Spot for Third Highest Month

Ransomware is up 24% from this time last year. Here’s what you need to know.

Executive Summary:

Ransomware Data

• Corvus observed 356 new ransomware victims on leak sites in April 2023, continuing the trend of YoY increase in attacks.

• Attacks increased 24% YoY in April 2023 but were 21% lower than the record-breaking prior month. However, excluding CL0P’s GoAnywhere numbers last month, April 2023 would be a 2% increase over March.

• Ransomware attacks against financial services and insurance companies have increased 300% and 266% since the start of 2023, respectively.
  

Analysis Detail

Attack Frequency Details 

After reporting a peak in ransomware victims last month, attacks remain high in April 2023. In absolute numbers, April saw fewer victims than the prior month, however, April 2023 totals are 24% higher than this time last year and 15% higher than two years ago. As we reported earlier, March 2023 was a record-breaking month due in part to one ransomware gang, CL0P, who exploited over 100 victims with a single vulnerability. When excluding their contribution, April 2023 would actually be a slight increase of 2% over March numbers. 

Data drawn from our threat intelligence sources (not based on claims activity within Corvus’s own book of business) show that April 2023 has the third-highest month of recorded ransomware victims over the past two years. This is the fourth month in a row with a YoY increase in ransomware victims, showing a definite upward trend in ransomware as we move further into Q2.

For an analysis of the 

The LockBit ransomware group alone was responsible for nearly 30% of April’s total leak site victims. This was followed by AlphVM, BlackBasta, and Royal which together make up roughly another 30% of April’s total.

Last month, we observed the CL0P ransomware gang in the number one spot, ahead of the LockBit group. As we showed, this was outside the norm for CL0P based on historical behavior and was the result of their campaign which compromised over 130 organizations by exploiting vulnerable GoAnywhere file transfer software and began publishing victims en masse on its leak site. CL0P has returned to its typical posting activity in April. 

Since rebranding as LockBit 2.0 in the Summer of 2021, the LockBit ransomware group emerged from relative obscurity and has consistently remained one of the most active cybercrime groups over the past two years. The group continually innovates and is now on version 3.0 of its malware. Recently, it was even seen rolling out a Mac OS version of its encryptor, which is uncommon among ransomware groups.

Industry Victim Trends

Financial Services was one of the most exploited industries in April 2023, seeing the highest number of victims over the last two years. The number of victims represents a 300% increase since the start of the year.

Insurance companies saw their highest number of victims in April 2023 with a 266% increase compared to the start of the year. Insurance was the 6th highest observed industry in April’s dark web leak site data, up from 11th in March 2023. These insurance companies range from brokerage firms to automotive insurance to property and casualty insurance. Geographically, 54% of these companies are located in the United States with others in Germany, Venezuela, Cameroon, Chile, and Egypt. Of April’s insurance victims, 36% were claimed by the AlphVM ransomware group.

Education has been a particularly hot topic in cybersecurity as an increasing number of school districts and universities experience high-profile ransomware attacks. Data across time shows an interesting corollary with typical school schedules showing a marked decrease during the Summer months when classes are typically not being held.

Corvus Threat Intel Team Notes

Ransomware victims on the dark web continue to increase from last year, clearly indicating a trend. Even without a campaign as large as CL0P’s last month, April numbers indicate activity above what was seen during this time last year and two years ago. While seasonal variation in ransomware activity is to be expected, 2023 seems likely to remain inflated going into Q2. Looking at historical data there may be a decrease in victims in May and June but we are on track to remain above last year and possibly 2021.

Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.