top of page

March 2023 Sees 91% Surge in Ransomware Victims, Reaching All-Time High

The number of ransomware attacks has reached an all-time high in March 2023, with 459 victims recorded, marking a 91% increase from February and a 62% increase compared to March 2022, according to an analysis by NCC Group's Global Threat Intelligence team. The increase in attacks is thought to be associated with the highly publicized GoAnywhere MFT vulnerability, which was exploited across the world by Cl0p, the most active threat actor with 129 victims recorded.

This month, Cl0p successfully exploited the GoAnywhere vulnerability, causing widespread disruption across the threat landscape, and became the most active threat actor observed. LockBit 3.0 and Royal followed with 97 and 31 ransomware attacks, respectively. North America was the target of almost half of the attacks, followed by Europe and Asia.

Industrials were the most targeted sector, accounting for 32% of attacks, followed by Consumer Cyclicals and Technology. Cl0p, a Ransomware-as-a-Service (RaaS) provider, claims the spotlight after significantly evolving its operations and reaching the top spot on the leaderboard. In its most recent campaign, Cl0p exploited the GoAnywhere Managed File Transfer used by over 3,000 organizations.

This is not the first time Cl0p has hacked large organizations by exploiting vulnerabilities in third-party products. The threat actor was responsible for the Accellion attacks in late 2020 and early 2021. Cl0p is a RaaS provider, and several affiliates exploited the ransomware strain in their attacks. The recent campaign against the GoAnywhere MFT has been attributed to actors other than Cl0p.

Matt Hull, global head of Threat Intelligence at NCC Group, warns that this surge in ransomware attacks is an indication of the continually evolving threat landscape and the pattern of attacks that can be expected throughout 2023. He emphasizes the importance of remaining vigilant and practicing good security hygiene, including patching systems and backing up data. Cl0p's recent campaign has created a storm and if their operations remain consistent, they will likely remain a prevalent threat throughout the year. The NCC Group is closely monitoring the actor as it evolves.



bottom of page