September Saw Record Number of Ransomware Attacks
Ransomware groups stepped up their attacks in September according to data recently published by NCC Group. At least 514 ransomware attacks are known to have been conducted in September, which represents a 32% month-over-month increase in attacks.
Every month in 2023 has seen more attacks conducted than the corresponding month in 2022, with September’s attacks conducted in record numbers, even more than the 502 attacks in July and the March 2023 spike in activity, which included the Clop group’s mass exploitation of the zero-day vulnerability in Fortra’s GoAnywhere MFT solution. To add some perspective, September saw a 153% increase in attacks from September 2022. NCC Group had previously predicted that 2023 could end with more than 4,000 known ransomware/data leak-extortion attacks, but the high number of September attacks could see that total surpassed well before the end of the year.
While a small number of threat actors usually account for the vast majority of attacks, that was not the case in September. NCC Group reports a significant increase in the number of active ransomware groups, with several new groups conducting large numbers of attacks. There were 76% more active ransomware groups in September 2023 compared to September 2022, which suggests ransomware attacks continue to be profitable and are unlikely to reduce any time soon.
One of the main threat groups that typically features in the top 3 is Clop, and while the group has been highly active in 2023, it only conducted 3 known attacks in August and there were no known attacks in September. While it is not unusual to see a lull in activity, especially after such a major mass exploitation campaign, it is unlikely to last long. NCC Group expects the group to return with another mass exploitation campaign soon. Two notable new ransomware groups appeared in September that hit the ground running. LostTrust was behind 9% of the month’s attacks, and RansomedVC accounted for 10%.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
RansomedVC, like 8base, claims to consist of penetration testers that only attack organizations that demonstrate a lack of attention to security. In addition to attacking organizations, RansomedVC threatens to report any vulnerabilities it exploits to data protection authorities in the EU as violations of the General Data Protection Regulation (GDPR) to pile pressure on victims to pay up.
As was the case in August, Industrials was the most targeted sector, accounting for 33% of all known attacks, followed by consumer cyclicals, and technology, with healthcare in fourth place. There was a significant increase in attacks on healthcare organizations in September, with 18 more attacks than the previous month – an increase of 86%. The most active ransomware groups in September were Lockbit 3.0, LostTrust, BlackCat, RansomedVC, and Cactus. Play, BianLian, Noescape, 8base, and Trigona rounded out the top 10. North America is still the most targeted region, where 50% of the attacks were conducted, followed by Europe (30%) and Asia (9%).
The increase in attacks shows the need for an international effort to target ransomware gangs, disrupt their operations and cut off their financing. One potential solution is for countries to introduce bans on ransom payments, which the U.S. is pushing for. 40 countries attending the third annual International Counter Ransomware Initiative (CRI) in Washington this week have pledged to do just that, although a ban could spell disaster for companies that are unable to recover their data from backups.
