NCC Group Monthly Threat Pulse – March 2023
Ransomware victims at all-time high, with 91% increase in March
- March saw an unprecedented surge in ransomware attacks with 459 recorded, a 91% increase from February 2023.
- Cl0p claimed the most active threat actor, with 129 victims recorded.
- Industrials (32%), Consumer Cyclicals (13%) were the most targeted sectors, followed by Technology (12%).
- Regional data shows North America (48%) was the most targeted region, followed by Europe (28%), and Asia (13%).
The volume of ransomware attacks in March 2023 hit an all-time high, according to analysis from NCC Group’s Global Threat Intelligence team. The 459 victims recorded in March was a 91% increase from February (240) and a 62% increase compared to March 2022.
This enormous surge in attacks is likely associated with the highly publicised GoAnywhere MFT vulnerability being exploited across the world, which was notably used by March's most active threat actor - Cl0p.
This month, the Ransomware-as-a-Service (RaaS) provider, Cl0p, successfully exploited the GoAnywhere vulnerability and was the most active threat actor observed, with 129 victims in total (representing 28% of all March ransomware victims). This marks the first time Cl0p has reached this position, and if this level of activity continues, they are likely to surpass their previous annual volumes.
LockBit 3.0 came in second place this month, accounting for 97 ransomware attacks (21%)—marking the second time Lockbit 3.0 has been knocked off the top spot since September 2021. Despite numbers increasing across the wider threat landscape, Lockbit 3.0 observed a decline of 25% from the 129 attacks observed in February.
Royal, a group not known to be affiliated with a nation state, but known for targeting a range of sectors, took third place with 31 attacks (7%), a 106% increase from February.
Repeating trends from last month's analysis, North America was the target of almost half of March’s activity, with 221 victims (48%). Europe (28%), and Asia (13%) followed with 126 and 59 attacks respectively.
The most targeted sector in March 2023 was Industrials, with 147 attacks accounting for 32%. Consumer Cyclicals was second-most targeted with 60 attacks (13%), followed by Technology, regaining third place with 56 attacks (12%).
This month, RaaS provider, Cl0p claims the spotlight after significantly evolving their operations and claiming first place on this month’s leaderboard.
In their most recent campaign, Cl0p exploited the GoAnywhere Managed File Transfer (MFT) used by over 3,000 organisations, causing large level disruption across the threat landscape.
It’s important to note this is not the first time Cl0p has mass-hacked a vast number of large organisations by exploiting a vulnerability in a third-party product. The threat actor was responsible for the Accellion attacks, occurring in late 2020 and early 2021.
Notably, as Cl0p is a RaaS provider, a number of affiliates also exploited the ransomware strain in their attacks. Cl0p has been linked to other actors before, most notably TA505 and FIN11, and this recent campaign against the GoAnywhere MFT has been attributed to actors other than Cl0p themselves.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “In March we observed an unprecedented surge in ransomware attacks, the highest number NCC Group’s Global Threat Intelligence Team has ever seen. This is an indication of the continually evolving threat landscape and the pattern of attacks that we can expect to emerge throughout 2023. It is more important than ever for organisations to remain vigilant and practice good security hygiene, including making sure systems are patched and correctly backed-up.
“Cl0p have created a storm after exploiting the GoAnywhere vulnerability, even overtaking LockBit 3.0 as the most prolific actor. This is the first time we have seen Cl0p take a leading position, and if their operations remain consistent, we can expect them to remain a prevalent threat throughout the year. We are keeping a close eye on the actor as it evolves.”
Join the webinar on 26 April with Matt Hull to get more insight and exclusive access to what's going on in the cyber and geopolitical landscape. Matt will provide a deeper understanding of the latest report findings, a look at emerging trends by region and sector, and insight into new threat actors, followed by Q&A: