NCC Group’s analysis found a major June increase in ransomware cyberattacks. Compared to June 2022, the attacks surged to 221%, with a total of 434 recorded attacks in that month.
NCC Group monitors ransomware attacks and data theft/extortion attempts carried out by ransomware groups. Clop ransomware exploited Progress Software’s zero-day (CVE-2023-34362), causing substantial surge in ransomware activity.
Coveware estimates Clop group’s profits: $75M-$100M from these attacks. The attacks directly impacted over 1,000 companies and had indirect repercussions on a significant number of others.
NCC Group reported Clop group caused 21% of June attacks. LockBit 3.0 affiliates accounted for 14%, down from the previous month’s 21%. 8base surged to 9% with 40 attacks. Rhysida and Darkrace conducted 26 attacks (6%). Industrials (33%), consumer cyclicals (12%), and technology (9%) were top targets in June, with North America hit most (51%).
Decline in Ransom Payments Despite Increased Attacks
Despite a significant increase in attacks, ransom payments have dropped sharply. In Q2, 2023, only 34% of victims paid ransoms, compared to over 75% in Q1, 2019. This decline has led cybercriminal groups to raise their ransom demands. The average payment rose by 126% to $740,000, and the median payment increased by 20% to $190,424 in Q2, 2023, with Clop group’s attacks driving the surge.
Although only a few companies paid the ransom for data recovery in MOVEit attacks, those who did paid substantial amounts.
Coveware attributes the record-low ransom payments to companies investing in security, continuity assets, and incident response training. However, this decrease in revenue is forcing ransomware gangs to adapt their tactics, as seen with the Clop group’s shift from encryption to pure extortion. While this new approach is faster and quieter, it results in fewer victims paying the ransom. Nevertheless, such attacks may be more profitable for ransomware gangs, as encryption attacks involve more time, resources, and payments to individuals involved in various stages, reducing their overall profit.
Coveware’s report distinguishes between extortion and encryption attacks. BlackCat and Black Basta dominated encryption, each with 15.5% of Q2 attacks. Royal accounted for 10.1%, followed by LockBit 3.0 (6.2%), Akira (5.4%), Silent Ransom, and Cactus with 3.1% each. Sophisticated affiliates now use 8base, leading to increased attacks. Phishing was the top initial access vector in Q2, 2023, followed by RDP compromise and software vulnerabilities. Professional Services (15.5%), healthcare (14%), materials (11.6%), and the public sector (10.1%) were the most targeted sectors.
