Threat actors broke another record. Here’s what you need to know.
Corvus observed 456 new ransomware victims on leak sites in June 2023, 38% higher than May 2023.
Attacks were well above the normal levels observed in June with a 179% increase YoY.
Another CL0P campaign inflated the numbers with 91 victims associated with the MOVEit vulnerability. Even without the CL0P attacks, June saw increased activity by 13% MoM.
Ransomware Attack Frequency Trends
Ransomware broke another record for the second time in the last few weeks with June having the highest number of listed companies on leak sites ever recorded. Attack frequency remains high, with a 38% increase from last month and a 179% increase from this time last year.
After breaking a prior record in March of 2023, ransomware victims decreased MoM but stayed inflated YoY. Bucking the typical trend which sees a decrease in ransomware in the Summer months, June bounced back to break March’s prior record with 452 new ransomware victims listed on leak sites.
This is the fifth month in a row with a YoY increase in ransomware victims and the fourth month in a row with victim counts above 300.
Much of June’s spike is due once again to the CL0P ransomware group, which repeated a page from its playbook to exploit another software vulnerability en masse that included over 90 victims. This is what also led to such a spike in March 2023 as well when the same group exploited and listed over 100 victims in a single month. In June, CL0P alone accounted for 19.61% of the total listed victims for the month, out of 29 active ransomware groups.
Without CL0P’s campaign, the total for the month would still stand at 373, a 13% increase over the prior month and a 128% increase YoY.
New Ransomware Groups
Newly discovered leak sites this month include Blacksuit, NoEscape, and Rhysida.
Corvus Threat Intel Team Notes
The number of ransomware victims on the dark web listed in June 2023 continues the alarming increase trend. This marks the fourth month in a row with more than 300 victims listed on leak sites, showing ransomware at a scale never seen before. A decrease is usually observed during the Summer months but large-scale campaigns such as those carried out by CL0P has prevented that. But even without CL0P, numbers remain much higher than normal.
Corvus will continue to monitor the threat landscape to protect insureds and contribute to the collective defense of the community.
This report is intended for general guidance and informational purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. This report is not to be considered an objective or independent explanation of the matters contained herein.