Ransomware is up 51% from this time last year. Here’s what you need to know.
Corvus observed 329 new ransomware victims on leak sites in May 2023, 51% higher than May 2022.
Attacks were slightly lower than April (7%) however, this follows a seasonal decrease from April to May also seen during prior years.
Ransomware attacks against government and higher education have increased 60% and 50% since April, respectively.
Attack Frequency Trends
Attacks remain high in May 2023, with a 51% increase from this time last year and an 11% increase from this time two years ago. May saw a slight decrease of 7% from April, however, this follows a pattern of slight seasonal decrease going into the Summer months. This pattern has been observed over the past two years as well.
We discovered a leak site in May, belonging to a new ransomware group: 8Base. While the website featured 67 victims, we did not include these in May’s total numbers as we are uncertain of when the attacks occurred. However, with their inclusion, May’s total would stand at 396 victims, the second-highest month on record.
Even without the additional victims from 8Base, data drawn from our threat intelligence sources (not based on claims activity within Corvus’s own book of business) show that May 2023 remains inflated well above levels observed over the past two years. This is the fourth month in a row with a YoY increase in ransomware victims and the third month in a row with victim counts above 300, which is uniquely alarming.
The month-over-month change may be variable, especially given outliers as striking as the CL0P GoAnywhere campaign in March. But don’t be fooled, May 2023 remains high. For context, monthly dark web leak site victims only spiked above 300 on three occasions in 2021 (March, October, and November 2021). In 2023, we’ve already reached victim counts above 300 three months in a row (March, April, and May) and we’re not even halfway through the year.
One question at the front of our minds is — why the increase?
One possible explanation is that the number of active ransomware groups is increasing. Several major ransomware groups have shut down and had their toolkits leaked on the dark web. There are more small-scale operations taking their place, many using the leaked malware from larger, more established groups. For example, the Babuk ransomware gang’s malware leaked in 2021 and has been used by at least 10 unique groups since that time.
Industry Victim Trends
Government experienced a 60% increase and Higher Education experienced a 50% increase compared to April 2023. Both government and education have proven to be desirable targets for ransomware groups over time. In addition, recent critical vulnerabilities such as (CVE-2023-27350) affecting PaperCut printing software were quickly exploited by several ransomware gangs and are heavily used by colleges, universities, and government offices. Victims from this month were exploited by a number of groups including Lockbit 3.0, Royal, and Nokoyawa.
New Ransomware Groups
Newly discovered leak sites this month include Rancoz, MalasLocker, 8Base, Darkrace.
Corvus Threat Intel Team Notes
The number of ransomware victims on the dark web listed in May 2023 continues the increased YoY trend. This marks the third month in a row with more than 300 victims listed on leak sites, a feat only achieved over the entirety of 2021. While May saw a modest overall decrease from April, this follows what appears to be a seasonal trend heading into Summer with relative MoM declines taking place during the same time period in prior years.
A greater number of ransomware groups, as evinced through more active leak sites, may be partially to blame for the YoY increase. With leaked malware readily available, this has lowered the barrier to entry for threat actors looking to operate on their own. In addition, operators from well-known groups that have shut down over the past few months have demonstrated tenacity by starting their own splinter groups and remaining consistently active over time.
Looking to the future, the Summer months may see further decline following a seasonal pattern observed in past years, however, it is likely to maintain a high YoY increase, possibly remaining at or near the 300 victim threshold. With past data as our guide, ransomware typically picks back up again in late Q3 heading into Q4.
Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.