Skip to content
NCC Group Monthly Threat Pulse - July 2023

News -

NCC Group Monthly Threat Pulse - July 2023

  • Threat actor Cl0p was responsible for 171 of 502 attacks in July, following the successful exploitation of the MOVEit vulnerability
  • Industrials (31%), Consumer Cyclicals (16%) and Technology (14%) were the most targeted sector
  • North America (55%) was the most targeted region, followed by Europe (28%) and Asia (7%)

July 2023 saw record levels of ransomware attacks carried out, with 502 observed by NCC Group’s Global Threat Intelligence team throughout the month. The findings mark a 154% increase year-on-year (198 attacks in July 2022), and a 16% rise on the previous month (434 attacks in June 2023).

Cl0p continues to dominate following MOVEit exploitation

It comes as we continue to witness the fall-out from Cl0p’s exploitation of the MOVEit vulnerability, a file transfer software, in June this year. The Russian-speaking group remained the most active threat group in July, responsible for 171 of 502 (34%) of ransomware attacks. So far, it is believed that nearly 500 organisations and millions of individuals have been affected by the attack.

It has been noted by some in the industry that the attack and its wide-scale impact marks a shift in the ransomware model. Cl0p’s focus was on extorting data from MOVEit’s environment, using this to extort implicated organisations.

Lockbit 3.0 ranked as the second most active threat actor in July, responsible for 50 (10%) attacks. It represents a decline of 17%, as compared with 60 attacks in June.

Outside of the top spots, July witnessed activity from a number of new threat actors, following the reinvention and rebranding of existing groups. Specifically exploiting VPN vulnerabilities, Noescape, believed to be a rebrand of Avaddon, has moved into the top ten most active groups, accounting for 16 (3%) of the total monthly attacks in July.

Industrials suffers highest number of attacks so far in 2023

Industrials continued to be the most targeted sector for ransomware attacks in July with 155 (31%) of 502 attacks. It represents an 8% increase in volume and the highest number of attacks within the sector in 2023. Given that a number of organisations operating within industrials hold critical information or intellectual property (IP), it remains an attractive target for threat groups.

Consumer cyclicals ranked in second place with 79 cases, accounting for 16% of the overall monthly attacks. Technology was the third most targeted sector in July with 72 attacks, or 14% of the monthly total.

North America remains the most targeted for attack

North America was the most targeted region in July, experiencing 274 (55%) of all ransomware attacks – an increase from 51% of total attacks in June. Europe was the second most targeted region, experiencing 43 attacks in July, an increase from 27 (23%) from June and Asia ranked in third, witnessing a total of 36 attacks (7%) in July.

Spotlight: Rising threats in the financials sector

In July, professional and commercial services were the most targeted within the industrial sector. In the last month the top three threat actors, Cl0p, LockBit 3.0, and 8Base were responsible for 48% (74 cases total) of attacks against industrials.

The financials sector has continued to be a top target for threat actors, particularly from state sponsored groups such as North Korea’s Lazarus and organised crime groups like FIN7. The sector is facing increasingly sophisticated and mature attacks as a result of it being such an attractive target. It is vital that organisations within the sector remain vigilant against attacks to stay one step ahead of the numerous threat groups that are seeking to exploit the space.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “Record levels of ransomware attacks in July, topping the previous spike in June, demonstrate the continued evolving and pervasive nature of the threat landscape globally. We are still seeing many organisations are still contending with the impact of Cl0p’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be – no organisation or individual is safe.

“This campaign is particularly significant given that Cl0p has been able to extort hundreds of organisations by compromising one environment. Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organisations you work with as part of your supply chain.

“Alongside established players, like Cl0p and Lockbit 3.0, we’re also seeing the growing influence of new groups. They are introducing new tactics, techniques and procedures, underscoring how important it is for organisations to remain up-to-speed with changes in the threat landscape.”




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400
Regional Press Office - Europe

Regional Press Office - Europe

Press contact +31 20 794 4737

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom