Clop’s MOVEit attacks drive ransomware volumes to record high

Ransomware gangs enjoyed a midsummer fling in July 2023, with record numbers of attacks observed – an increase of over 150% from the same month in 2022, and a 16% increase on June 2023 – according to the latest monthly statistics collated by NCC Group’s global threat intelligence team.

Although arguably not ransomware attacks as no ransomware locker was ever deployed, the bulk of the increase stems from the exploitation of a now-patched vulnerability in Progress Software’s MOVEit managed file transfer product by the notorious and prolific Clop (aka Cl0p) operation – which led to 171 of the 502 attacks booked by NCC’s telemetry during July.

To date, it is believed that close to 750 organisations, and between 42 and 47 million individuals, have been affected by the attack to some degree, with new victims identified as recently as Monday 21 August.

One of the most prominent recently named is IBM, via which data on millions of Americans has been compromised through various downstream customers in the health and public sector, indicating that the MOVEit incident is far from over.

“Record levels of ransomware attacks in July, topping the previous spike in June, demonstrate the continued evolving and pervasive nature of the threat landscape globally,” said Matt Hull, global head of threat intelligence at NCC.

“Many organisations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be – no organisation or individual is safe,” he added.

“This campaign is particularly significant given that Clop has been able to extort hundreds of organisations by compromising one environment. Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organisations you work with as part of your supply chain.”

The second most active threat actor in July, responsible for 10% of the observed attacks – down 17% on June – was LockBit 3.0.

While outside of the top spots, a number of new threat actors emerged in July following a period of reinvention and rebranding. One of these, NoEscape, possibly a rebrand of double extortion pioneers Avaddon, has swiftly made its mark, accounting for 3% of the observed attacks. Known victims of this “new” crew include Hawai’i Community College in the US and the German federal bar association, BRAK.

“Alongside established players, like Clop and LockBit 3.0, we’re also seeing the growing influence of new groups. They are introducing new tactics, techniques and procedures, underscoring how important it is for organisations to remain up-to-speed with changes in the threat landscape,” said Hull.

“We’re seeing the growing influence of new [ransomware] groups. They are introducing new tactics, techniques and procedures, underscoring how important it is for organisations to remain up-to-speed with changes in the threat landscape”

The most targeted sectors for ransomware attacks in July were industrials, accounting for 155 (31%) of the total volume, up 8%. Consumer cyclicals, which includes automotive, entertainment, housing and retail, accounted for 79 cases (16%), and the tech sector accounted for 72 (13%). The majority of attacks, almost 55%, were observed in North America, with Europe experiencing 23% of attacks and Asia 7%.

The NCC team also highlighted a clear and rising threat to the financial sector, professional and commercial services being the most targeted within the wider industrials category, with Clop, LockBit and 8Base mostly driving this.

They said the financial services industry continued to be a top target, both from state-sponsored groups such as North Korea’s Lazarus, and organised, financially motivated cyber criminals. These attacks are becoming more mature and sophisticated, said NCC, which warned that increased vigilance would be necessary to stay ahead of those seeking to exploit the space.