MOVEit Exploitation Fallout Drives Record Ransomware Attacks

Written by

Ransomware attacks hit record levels in July 2023, driven by the Clop gang’s exploitation of the MOVEit vulnerability, according to NCC Group’s Threat Intelligence team.

The researchers observed the largest volume of ransomware attacks in a single month in July, at 502. This represents a 154% year-on-year rise compared to July 2022, and a 16% increase on the previous month, June 2023.

The report found that the notorious Clop group was responsible for 171 of the 502 ransomware attacks in July (34%), after successfully targeting global organizations via the MOVEit file transfer flaw that emerged in May 2023. The vulnerability was disclosed on May 31, with a patch deployed on the same day.

A number of household names have been affected by the zero-day vulnerability, including the BBC, BA, Boots and the government of Nova Scotia, leading to millions of end users’ data being compromised.

The second most active threat actor in July was Lockbit 3.0, responsible for 50 (10%) of attacks.

Additionally, the researchers observed activity from new threat actors following the reinvention and rebranding of existing groups. This includes Noescape, believed to be a rebrand of Avaddon, which accounted for 16 attacks in July.

Most Impacted Verticals

The report found that industrial organizations were most heavily targeted by ransomware in July, compromising 155 (31%) of attacks. This was followed by consumer cyclicals (16%) and technology (14%).

Over half (55%) of attacks targeted the North America region, which was a small increase from June 2023 (51%). Europe was the next most targeted by ransomware, experiencing 43 attacks (8.5%), followed by Asia (7%).

Matt Hull, Global Head of Threat Intelligence at NCC Group, commented: “Record levels of ransomware attacks in July, topping the previous spike in June, demonstrate the continued evolving and pervasive nature of the threat landscape globally. We are still seeing many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be – no organization or individual is safe.”

Earlier in August, Comparitech provided insights on the enormous global costs of ransomware attacks on the manufacturing sector in the first half of 2023.

Listen here: Inside the MOVEit Attack - Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners

What’s hot on Infosecurity Magazine?