Q2 2023 Ransomware Report: Victim Count Hits New Heights
July 2023 by ReliaQuest
The second quarter of 2023 was prolific for ransomware groups, with several notable newcomers and records shattered. Following the previous quarter’s record-breaking numbers, Q2 2023 saw another large surge in organizations named on double-extortion ransomware data-leak websites. We also observed one of the most serious ransomware campaigns ever recorded.
ReliaQuest’s Threat Research Team monitors the activity of ransomware groups and their data-leak sites. Our quarterly ransomware report gives the big picture of that activity in Q2 2023; below, we offer just the highlights of the quarter’s emerging trends and developments.
Clop and the MOVEit Compromise
The most impactful ransomware-related event was the "Clop" ransomware gang’s exploitation of a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer Software. Clop claimed to have stolen the data of hundreds of companies and began naming victims on June 14, 2023—89 MOVEit victims were publicized in June alone. Since then, that number has crept close to 260, making this one of the largest extortion campaigns by a ransomware group we’ve ever observed.
Clearly, Clop’s unique approach to targeting enterprise file-transfer software/platforms has been effective. The group began exploiting vulnerabilities in such products in December 2020, breaching more than 100 companies through a zero-day vulnerability in Accellion file-transfer software. In February 2023, the group took responsibility for another such campaign, targeting GoAnywhere software and compromising over 130 organizations.
The MOVEit campaign was undoubtedly Clop’s largest and most impactful, compromising multiple large companies. The move towards single-extortion attacks—avoiding data encryption and focusing solely on data theft—is a unique ransomware-group trend that may become common among other groups. For more information on Clop and the MOVEit campaign, check out our blog covering the campaign.
Malas and the Zimbra Compromise
In March 2023, users began noticing that their Zimbra servers had become encrypted and the new “Malas” ransomware gang had left ransom notes in encrypted folders. The notes detailed an unusual demand: make a donation to a nonprofit organization that the attackers approved of. A donation would mean access to a decrypting tool and a promise not to leak the data—demands more closely aligned with hacktivism than traditional ransomware extortion. Malas’s campaign is just one example of how the lines dividing cybercriminals, nation-state threat actors, and hacktivists are becoming more difficult to distinguish.
In mid-May 2023, Malas launched a dark-web data-leak site and immediately named 169 affected companies, securing the second-highest number in Q2 2023. The group only exposed the configuration files of victims’ Zimbra servers, which likely resulted in a low impact. By comparison, Clop placed fifth in terms of numbers but made the greatest impact with MOVEit.
Record Number of Victims
In the second quarter of 2023, close to 1,400 organizations were named on ransomware and data-extortion websites. This marked a substantial increase (66%) from Q1 2023, which saw close to 850 affected organizations. What makes this increase even more impressive is that Q1 2023 had set the record for the most victims we ever recorded, but Q2 2023 shattered that record with 500 more. The number of organizations being named on ransomware websites has more than doubled over the past two quarters, highlighting a sudden growth in ransomware operations.
As expected, other records were broken in the past quarter. May 2023 is now the month with the highest number of ransomware victims we have ever recorded. Close to 600 organizations were named to ransomware data-leak sites in May: a 46.7% increase from the previous record in March 2023. The high count in May was driven by the ransomware groups Malas and “8Base” naming a lot of affected organizations shortly after launching their data-leak sites.
Extortion Attacks Scarce
With regard to extortion-only gangs, few organizations were named on data-leak sites. Even so, there was a noticeable rise compared to Q1 2023, but it was likely caused by natural deviations in quarterly numbers. The “Karakurt Hacking Team” was the most active extortion-only group, making up close to 95% of victims.
We can’t end the discussion of extortion-only attacks without noting that Clop hasn’t deployed ransomware in any of its file-transfer software attacks (Accellion, GoAnywhere, or MOVEit). Instead, Clop simply stole data and threatened to publicly release it if victims didn’t make ransom payments. By skipping encryption, Clop could conduct attacks much faster and more efficiently, targeting hundreds of companies at once.
In extortion-only attacks, ransomware groups don’t always leave ransom notes, so attacks can be harder to detect. Instead, threat actors typically reach out to affected organizations via email or other communication, making them aware of the breach and ransom demands. Clop has taken an even less traditional approach in its latest MOVEit campaign: requesting that victims contact Clop if they have been compromised. This puts the burden on the companies to figure out if they had been breached.
Who Was Targeted?
The US remained the country most targeted by ransomware groups, by a wide margin. Nearly half of all companies named on data-leak sites in Q2 2023 operated in the US. Following the US were the UK, Germany, Canada, and France—the same five countries targeted most in Q1 2023, but with slight shifts, such as Germany rising to third place from fifth. The appeal of those five countries likely lies in their numerous wealthy organizations: typical targets for ransomware groups.
The sectors most targeted changed slightly in Q2 2023. The professional, scientific, and technical services sector was the most popular, comprising 20.2% of all the affected organizations. The manufacturing sector closely followed, with 19.6%. The remaining sectors in the top five were finance and insurance, healthcare and social assistance, and construction. Healthcare remained a popular target despite many ransomware groups claiming to avoid targeting that sector; this trend has persisted since Q1 2023.
Our full quarterly ransomware report offers:
• Comprehensive analysis of ransomware activity in Q2 2023
• Intelligence on the most active ransomware groups this quarter, including background information; tactics, techniques, and procedures (TTPs); and notable events
• MITRE ATT&CK techniques to provide insight into the TTPs used by top ransomware groups
• Breakdown of ransomware targeting, by sector and country
• Detection recommendations to mitigate ransomware-related activity
• General recommendations to protect against ransomware
• Ways to protect yourself against ransomware with help from ReliaQuest