After a seemingly slow quarter of ransomware activity during the late-2022 festive-holiday season, an alarming surge occurred. The first quarter of 2023 was the most prolific the ReliaQuest Threat Research Team has ever observed in terms of double-extortion ransomware groups. More victims were named on data-leak sites than in any other quarter to date—despite increased law enforcement operations and other challenges ransomware operators faced in 2022.
The Threat Research Team monitors the activity of ransomware groups on the dark web and keeps track of all victims named on ransomware data-leak websites. We also keep track of major developments and trends in the ransomware threat landscape. Let’s rewind to take a look at the most important ransomware-related events that happened during Q1 2023, plus metrics of ransomware groups and steps organizations can take for protection.
Probably the most notable event in Q1 2023 was an attack campaign by “Clop,” exploiting a GoAnywhere managed file transfer (MFT) zero-day vulnerability (CVE-2023-0669) to breach over 130 organizations. This wasn’t Clop’s first large-scale supply-chain attack. In February 2021, Clop exploited an Accellion file transfer application (FTA) zero-day vulnerability to breach over 100 organizations.
There were many similarities between these two campaigns; both exploited zero-days in file-transfer platforms, and in both Clop chose to steal data from victims and not drop ransomware. By skipping encryption, Clop could conduct these attacks at lightning speeds, reportedly taking only ten days to steal data usingGoAnywhere MFT.
Another important story