March Ransomware Operations Smash Records with Nearly 500 Attacks


April 19, 2023

World map

March will go down in the books as the most prolific period so far for the volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

“Clop's CVE-2023-0669 exploitation spree displaced LockBit 3.0, which had 97 recorded attacks, to second place for the second time since September 2021,” Bleeping Computer reports.

“Other ransomware groups that had relatively significant activity during March 2023 are Royal ransomware, BlackCat (ALPHV), Bianlian, Play, Blackbasta, Stormous, Medusa, and Ransomhouse.”

The record number of attacks comes as other research finds that ransomware operations can cost organizations as much as 30 percent of their operating income, and smaller businesses can be impacted even more.

“While losses to cyberattacks impact the current fiscal year, they can also linger and impact current and future years as costs. These include legal fees, settlements, and brand damage the effects of which can take time to materialize,” Beta News reports.”

“Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks.”

Takeaway: While some research has indicated that there was a bit of a lull in ransomware attack volumes in 2022 following the start of the Ukraine conflict, 2023 attack volume thus far shows that ransomware attacks are not abating. Ransomware is still the number one threat to organizations, and the financial impact can be devastating.

One of the reasons for the spike is that threat actors are taking advantage of unpatched vulnerabilities and automating more aspects of their attacks. Hundreds of organizations have been hit by the Cl0p ransomware gang as they exploit a known vulnerability in the GoAnywhere software.  

We are also seeing attacks exploiting a vulnerability in IBM Aspera Faspex, which could allow for a similar spike in attacks. ‍Last week, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for having some unique features like fast encryption speed, stealthy DLL side-loading, and advanced security evasion.

This week, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang developed two new custom data exfiltration tools.

Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations.

Case in point, this week Dorel Industries confirmed that it was the victim of a “security incident” (assessed to be a ransomware attack) that the company anticipates will result in Q1-2023 revenue losses estimated at $12-15 million, according to a statement.

Being ready to respond to a ransomware attack is just part of the equation. Resilience must be built into that response protocol so organizations can limit the impact of a ransomware payload on operations.

But the focus cannot be on post-payload response only. There needs to be more focus on the data exfiltration aspect of these attacks, as once sensitive data goes out the door, the attack becomes much more difficult to mitigate. Even if the ransomware payload is identified, isolated, and remediated, the victim organization is still faced with extortion attempts and the risk that the data could be further exposed.

A solid resilience strategy that includes data exfiltration defenses will ease the potential financial losses victim organizations face and eliminate the need to pay a ransom demand to unlock systems or cooperate with the attackers to secure stolen data. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.