Ransomware review: September 2023

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Ransomware news in August was highlighted by the sudden fall of CL0P from the list of the most active gangs in any given month, while Lockbit returned to the number one spot after a steady four-month decline in activity.

CL0P published the data of just four victims on their leak site last month, down from 91known victims in June and 170 known victims in July. In June, CL0p shot to the top of the charts due to their use of a zero-day exploit in MOVEit Transfer, with victims of those attacks continuing to be posted into July.

This dramatic decrease isn’t too surprising given that CL0P’s vulnerability-focused approach to attacking has diminishing returns. As more organizations became aware of and patched the zero-day that CL0P discovered, CL0P’s zero-day campaign saw less and less momentum, with fewer at-risk targets. We witnessed a similar trend earlier this year when, after targeting 104 victims using a GoAnywhere MFT zero-day, CL0P’s presence almost vanished in April and May, as organizations presumably caught on and patched the vulnerability.

Lockbit, on the other hand, posted a total of a 124 victims on its leak site last month to reclaim its usual number one spot on the monthly charts. Before this sudden increase in attacks, we had been observing an average decrease of 20 attacks a month from the group since April 2023.

Known ransomware attacks by gang, August 2023
Known ransomware attacks by gang, August 2023
Known ransomware attacks by country, August 2023
Known ransomware attacks by country, August 2023
Known ransomware attacks by industry sector, August 2023
Known ransomware attacks by industry sector, August 2023

We speculated on reasons for the downward trend in last month’s review, such as it being possibly related to a recent affiliate arrest, but interesting research published last month may also hold the clue to other answers.

In the third installation of his “Ransomware Diaries” series, researcher Jon DiMaggio reveals the extent of Lockbit’s alleged internal instability, including how its apparent storage limitations and slow response times have led to affiliates leaving it for competitors. If more frustrated clientelle are leaving Lockbit than before, then it could be a novel, possible explanation to any monthly dips in activity.

To get a better idea of the true strength of Lockbit’s current operations, however, we can compare any period of decline to their typical number of monthly attacks. Data stretching back to March 2022, for example, places their median number of attacks at around 67 a month. From April 2023 to July 2023, their median number of attacks was actually slightly higher than this at 69 attacks a month, making the decline seem less substantial. In other words, while Lockbit might be plagued by internal instability at the moment, the effect of this on their monthly numbers seems insignificant in the long-run.

Contrasting with LockBit’s storage server challenges, the recent move by CL0P last month to use torrents underscores the evolving tactics ransomware gangs employ to circumvent storage limitations.

As ransomware gangs steal data from major companies, the scale of the information requires immense storage capacities. Traditional cloud services like AWS and Azure not only come with high costs but also demand personal identifiable information (PII) and credit card details upon registration—information that can easily be subpoenaed by law enforcement. A torrenting service, on the other hand, optimizes downloads by sourcing data from multiple proximate locations, rather than a lone server.

Since torrenting necessitates the data be scattered across all participating nodes in the peer-to-peer network, ransomware gangs can bypass the challenges of storage and bandwidth while also better evading law enforcement. Additionally, if more top ransomware gangs can follow CL0p’s footsteps and start to rely more on torrents to distribute stolen data, victims may feel increased pressure to pay ransoms as their data becomes more widely available. 



CloAk is a relatively new ransomware group that emerged between late 2022 and the beginning of 2023. In August 2023 the group published the data of 25 victims, mostly from Europe and with a special focus on Germany.

easset upload file90933 280710 eThe CloAk leak site


Metaencryptor is a new ransomware gang that published the data of 12 victims in August 2023.

easset upload file5833 280710 eThe Metaencryptor leak site


RansomedVC is a new group that published the data of nine victims on its leak site last month. The group has adopted a favorite ideology of other ransomware actors—that they are serving as nothing more than “pen-testers”—and added a twist, alleging that any vulnerabilities they have found in victims’ networks must also be reported under compliance to Europe’s General Data Protection Regulation (GDPR). RansomedVC has advertised themselves as a “digital tax for peace” service and threatened victims with data breach fines if the ransom isn’t paid.

easset upload file95557 280710 eThe RansomedVC leak site

INC Ransom 

INC Ransom is a newcomer to the ransomware scene last month that published three victims to its leak site in August.

easset upload file74852 280710 e

The INC Ransomware leak site

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.