Clop Drives Record Ransomware Activity in June

Written by

Ransomware attacks in June soared 221% year-on-year to hit a record 434 for the month, according to an analysis from NCC Group’s Global Threat Intelligence team.

The IT security firm claimed the figures were driven by Clop’s targeting of global organizations via the MOVEit flaw, “consistently high levels” of activity by groups such as Lockbit 3.0, and the appearance of new groups since May.

Clop was responsible for a fifth (21%) of activity last month after it exploited SQL injection zero-day vulnerability CVE-2023-34362 in the popular managed file transfer software MOVEit, in a classic supply chain attack.

Read more on MOVEit: Clop Ransom Gang Breaches Big Names Via MOVEit Flaw.

LockBit 3.0 accounted for 14% of ransomware attacks in the period, down 21% from the previous month. However, the group is still the most prolific of 2023 so far.

June also saw 8base, a new group first discovered in May, ramp up activity quickly. It was responsible for 40 attacks: 9% of the total recorded by NCC Group. Two other groups spotted for the first time in May, Rhysida and Darkrace, contributed 17 and nine attacks respectively.

Unsurprisingly, North America once again contributed the most victims (51%), followed by Europe (27%) and Asia (9%).

The most targeted sector in June was “industrials,” which accounted for a third of victims, followed by “consumer cyclicals” (12%) and technology (11%), NCC Group said.

Matt Hull, global head of threat intelligence at the firm, argued that the threat landscape continues to evolve.

“The better-known players, such as Lockbit 3.0, are showing no signs of letting up, newer groups like 8base and Rhysida are demonstrating what they’re capable of, and Clop exploited a major vulnerability for the second time in just three months,” he claimed.

“It’s imperative that organizations remain vigilant and adapt their security measures to stay one step ahead. We strongly advise any organization using MOVEit file transfer software to apply the recent patch, given this vulnerability is being actively exploited.”

This week, Estee Lauder emerged as the latest victim of the Clop group, although security researchers claimed that the Alphv/BlackCat group also compromised the cosmetics giant.

What’s hot on Infosecurity Magazine?