In March 2023, cybersecurity analysts observed the most extensive and frequent ransomware attacks of recent years, with an increase of 91% from the previous month and 62% from the previous year. NCC Group compiled a data-driven report stating that the surge in attacks was due to a vulnerability called CVE-2023-0669. The Clop ransomware gang exploited this zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer tool, leading to data theft from around 130 companies in just ten days.
Increased Ransomware Attacks in Q1 2023
The trend of rising attacks observed by NCC Group since the beginning of 2023 continued in March, with the highest number of hack and data leak incidents recorded in three years. There were a total of 459 attacks recorded in March 2023, performed by various ransomware groups.
These groups include Royal ransomware, BlackCat (ALPHV), Bianlian, Play, Blackbasta, Stormous, Medusa, and Ransomhouse. Out of these groups, the Clop ransomware gang performed the most significant number of attacks last month, totaling 129 attacks. Thus, Clop topped NCC Group’s graph with the most active ransomware gangs for the first time in its operational history.
Clop’s exploitation of CVE-2023-0669 replaced LockBit 3.0, which recorded 97 attacks, to second place in the ranking of most active ransomware gangs, which it held for a second time since September 2021. And it wasn’t the first time that Clop performed an attack that put it on the top. In early 2021, it leveraged a zero-day vulnerability in Accellion’s legacy File Transfer Appliance (FTA), leading to over 100 victims.
The Targeted Sectors and Industries of ransomware attacks
Out of the 459 recorded attacks in March 2023, the “Industrials” sector accounted for 32% or 147 ransomware attacks. The sector includes:
- Professional and commercial services,
- Machinery
- Tools
- Construction
- Engineering
- Aerospace
- Defense
- Logistics
- Transport services, and many more.
The second most targeted sector was “Consumer Cyclicals.” It encompasses construction supplies, specialty retailers, hotels, automobiles, media & publishing, household goods, etc.
In addition, other sectors received significant attention from ransomware gangs. These sectors are “Technology,” “Healthcare,” “Basic Materials,” “Financials,” and “Educational Services.” It is essential to note that these attacks are considered opportunistic rather than targeted.
Importance of Applying Security Updates
The recorded activity spike in March 2023 highlighted the importance of applying security updates. This helps to mitigate potentially unknown security gaps like zero days, implementing additional measures, and monitoring network traffic and logs for suspicious activity promptly.
The three most active ransomware groups in March 2023, namely Clop, LockBit, and Royal, primarily targeted companies within the “Industrials” sector. However, Clop and LockBit directed a considerable amount of their efforts toward the “Technology” sector.
Ransomware Attacks Victim’s Location
Of the 459 ransomware attacks recorded in March 2023, 221 breaches occurred in North America. In contrast, 126 episodes and 59 ransomware attacks occurred in Europe and Asia, respectively.
In conclusion, the surge in ransomware attacks demands immediate action to secure the digital data and infrastructure of organizations worldwide. Hence, organizations must take necessary measures like timely updates of security systems, vigilant monitoring of network activities and logs, and creating awareness among employees to prevent and mitigate the risks of such attacks.
