Ransomware attacks reached record levels in July 2023, driven by the Cl0p ransomware group’s exploitation of MOVEit software.
In a new report released by NCC Group’s Global Threat Intelligence team, analysts observed a record number of ransomware-related cyberattacks last month, with 502 major incidents tracked. According to the researchers, this represents a 154% increase year-on-year, compared to 198 attacks traced in July 2022.
Also: What is ransomware? Everything you need to know
July’s numbers represent a 16% rise from the previous month, with 434 ransomware incidents recorded in June 2023.
NCC Group says that this record number is due, in no small part, to the activities of Cl0P, a notorious group connected to the exploit of MOVEit software.
Who is Cl0p?
Cl0p, also known or associated with Lace Tempest, was responsible for 171 of 502 attacks in July, many of which are believed to be down to the exploitation of file transfer software MOVEit.
Also: Ransomware has now become a problem for everyone, and not just tech
Cl0p has been around since 2019 and is known as a Ransomware-as-a-Service (RaaS) offering to cybercriminals. Also known as — or associated with — TA505, Cl0p has aggressively pursued high-value targets with the aim of extorting high ransomware payments, and operators will often steal information prior to encryption in what is known as a double-extortion tactic.
If victims refuse to pay up, they risk having their stolen data published online and being named on a public leak site.
The MOVEit exploit
Branded as a “slow-moving disaster,” the MOVEit exploit has impacted hundreds of organizations worldwide, with data belonging to millions of individuals stolen.
In May, Progress Software reported a zero-day vulnerability in the file transfer service, MOVEit Transfer and MOVEit Cloud, which could lead to escalated privileges and potential unauthorized access to customer environments. The problem is that MOVEit is utilized by government agencies and highly-regulated industries, both directly and via software supply chains.
Also: This AI-generated crypto invoice scam almost got me, and I’m a security pro
Alleged victims include the US Department of Energy, Shell, the BBC, Ofcom, the National Student Clearinghouse, and numerous US universities.
Impacted industries
In total, industrial players accounted for 31% of ransomware attacks or 155 recorded incidents.
Industry players include professional and commercial services, manufacturing, construction, and engineering. According to the researchers, professional and commercial services were the most targeted in July, with ransomware gangs Cl0p, LockBit 3.0, and 8Base responsible for 48% of all cyberattacks recorded.
While these sectors have suffered the highest number of ransomware attacks so far this year, consumer cyclicals have ranked second, with 79 attacks — or 16% of the whole in July. This category represents hotels and entertainment, media, retail, homebuilding, the automotive sector, and more.
Also: The best VPN services right now: Expert tested and reviewed
When it comes to technology, ranking third with 72 cases — or 14% of monthly attacks — NCC Group says this industry “has experienced the highest increase in absolute numbers across the top three sectors this month [and] this is likely due to Cl0p’s activity.”
Cl0p was responsible for 39 cyberattacks against the sector, or 54%, and this includes assaults against organizations offering IT and software services, semiconductor suppliers, consumer electronics, and telecommunications services.
New ransomware groups appear on the scene
Following Cl0p, Lockbit 3.0 was ranked as the second-most active ransomware gang in July, being responsible for 50 attacks, or 10%. While this represents a decline of 17% month-on-month, July was also a staging ground for new and rebranded threat actors to make their presence known.
For example, Noescape — believed to be a rebrand of Avaddon, which closed after sending thousands of decryption keys to a media outlet in 2021 — accounted for 16 of the recorded attacks, joining others including 8Base, BianLian, BlackCat, Play, and Cactus.
Also: Industrial networks need better security as attacks gain scale
“Many organizations are still contending with the impact of Cl0p’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe,” Matt Hull, Global Head of Threat Intelligence at NCC Group, commented. “This campaign is particularly significant given that Cl0p has been able to extort hundreds of organizations by compromising one environment. Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.”