Law practices, government agencies, manufacturing, oil and gas, transportation, logistics and storage sectors were among the sectors hardest hit by a record-breaking spike in ransomware attack frequency.

Cyber attack 450

Cyber insurer and insurtech Corvus Insurance has issued a report showing ransomware attacks accelerated in the third quarter.

Ransomware attacks continue at a record-breaking pace globally, according to Corvus, with third quarter attack frequency up 11% over the previous quarter and 95% above the prior year quarter.

The latest figures come from Corvus’s Q3 2023 Global Ransomware Report.

In its previous, Q2 report, the Boston-based firm noted a resurgence in global ransomware attacks, which has continued through the third quarter.

With two months remaining in the year, the number of ransomware victims in 2023 has already surpassed what was observed for 2021 and 2022.

If the trajectory continues, 2023 will be the first year with more than 4,000 ransomware victims posted on leak sites, the company said, versus 2,670 in 2022.

Two key factors have driven Q3’s elevated ransomware numbers, the company said.

CL0P mass exploits

The “CL0P” ransomware group has played a major role in this spike in 2023 ransomware activity, Corvus emphasised.

CL0P sprung to life in the first quarter by exploiting “GoAnywhere” file transfer software, which impacted more than 130 victims.

The second quarter, CL0P struck again with the solo use of a mass zero-day exploit by a ransomware group targeting a vulnerability in the “MOVEit” file transfer software, Corvus said. This had impacted 264 victims at the time of this report.

The single MOVEit vulnerability accounted for 9% of victims listed in Q2 and 13% of victims listed in Q3. Even without these CL0P spikes in attack activity, ransomware numbers would still be up 5% over Q2 and 70% in Q3 from the same points last year.

Summer cut short

Ransomware typically follows seasonal patterns, with incidents decreasing in early May and remaining low through early August, the firm explained.

Driven by CL0P, this year’s dip in attacks occurred later in June and, and rather than continuing to fall, spiked and remained high through the first half of August, Corvus said.

Even without CL0P, ransomware activity would still amount to a 70% year-over-year increase, the firm warned.

“It’s clear that ransomware attacks are on a record-setting pace for 2023, and based on activity at the end of Q3 and early Q4, we fully expect these numbers to surpass anything we have witnessed in previous years,” said Jason Rebholz, chief information security officer, Corvus Insurance.

“Aside from these overall numbers, this report demonstrates the impact that a single ransomware group like CL0P can have when they invest in new tactics, which is what we saw with the mass zero-day exploit that wreaked havoc over the second and third quarters,” Rebholz added.

Sectors in the cross-hairs

The Q3 report also examines which industries experienced the largest spikes in ransomware activity. These included:

  • Law practices – An uptick due in part to the ALPHV ransomware group, which accounted for nearly a quarter of all victims in this industry (+70%).
  • Government agencies – The impetus behind these attacks was LockBit, which tripled its government victims from Q2 to Q3 (mostly cities and municipalities) (+95%)
  • Additional Industries that experienced spikes include Manufacturing (+60%), Oil and Gas (+142%), and Transportation, Logistics and Storage (+50%).

“Ransomware actors can quickly pivot their focus, and no industry is immune. There’s no better time to ensure the right security controls are in place to mitigate the threat,” Rebholz added.