Record levels of ransomware attacks observed in July, up 153% from 2022

Aug. 22, 2023
The findings mark a 154% increase year-on-year (198 attacks in July 2022), and a 16% rise on the previous month (434 attacks in June 2023).

  • Threat actor Cl0p was responsible for 171 of 502 attacks in July, following the successful exploitation of the MOVEit vulnerability
  • Industrials (31%), Consumer Cyclicals (16%) and Technology (14%) were the most targeted sector
  • North America (55%) was the most targeted region, followed by Europe (28%) and Asia (7%)

July 2023 saw record levels of ransomware attacks carried out, with 502 observed by NCC Group’s Global Threat Intelligence team throughout the month. The findings mark a 154% increase year-on-year (198 attacks in July 2022), and a 16% rise on the previous month (434 attacks in June 2023).

Cl0p continues to dominate following MOVEit exploitation

It comes as we continue to witness the fall-out from Cl0p’s exploitation of the MOVEit vulnerability, a file transfer software, in June this year. The Russian-speaking group remained the most active threat group in July, responsible for 171 of 502 (34%) of ransomware attacks. So far, it is believed that nearly 500 organizations and millions of individuals have been affected by the attack.

It has been noted by some in the industry that the attack and its wide-scale impact marks a shift in the ransomware model. Cl0p’s focus was on extorting data from MOVEit’s environment, using this to extort implicated organizations.

Lockbit 3.0 ranked as the second most active threat actor in July, responsible for 50 (10%) attacks. It represents a decline of 17%, as compared with 60 attacks in June.

Outside of the top spots, July witnessed activity from a number of new threat actors, following the reinvention and rebranding of existing groups. Specifically exploiting VPN vulnerabilities, Noescape, believed to be a rebrand of Avaddon, has moved into the top ten most active groups, accounting for 16 (3%) of the total monthly attacks in July.

Industrials suffers highest number of attacks so far in 2023

Industrials continued to be the most targeted sector for ransomware attacks in July with 155 (31%) of 502 attacks. It represents an 8% increase in volume and the highest number of attacks within the sector in 2023. Given that a number of organizations operating within industrials hold critical information or intellectual property (IP), it remains an attractive target for threat groups.

Consumer cyclicals ranked in second place with 79 cases, accounting for 16% of the overall monthly attacks. Technology was the third most targeted sector in July with 72 attacks, or 14% of the monthly total.

North America remains the most targeted for attack

North America was the most targeted region in July, experiencing 274 (55%) of all ransomware attacks – an increase from 51% of total attacks in June. Europe was the second most targeted region, experiencing 43 attacks in July, an increase from 27 (23%) from June and Asia ranked in third, witnessing a total of 36 attacks (7%) in July.

Spotlight: Rising threats in the financials sector

In July, professional and commercial services were the most targeted within the industrial sector. In the last month the top three threat actors, Cl0p, LockBit 3.0, and 8Base were responsible for 48% (74 cases total) of attacks against industrials.

The financials sector has continued to be a top target for threat actors, particularly from state sponsored groups such as North Korea’s Lazarus and organized crime groups like FIN7. The sector is facing increasingly sophisticated and mature attacks as a result of it being such an attractive target. It is vital that organizations within the sector remain vigilant against attacks to stay one step ahead of the numerous threat groups that are seeking to exploit the space.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “Record levels of ransomware attacks in July, topping the previous spike in June, demonstrate the continued evolving and pervasive nature of the threat landscape globally. We are still seeing many organizations are still contending with the impact of Cl0p’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be – no organization or individual is safe.

“This campaign is particularly significant given that Cl0p has been able to extort hundreds of organizations by compromising one environment. Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.

“Alongside established players, like Cl0p and Lockbit 3.0, we’re also seeing the growing influence of new groups. They are introducing new tactics, techniques and procedures, underscoring how important it is for organizations to remain up-to-speed with changes in the threat landscape.”