March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% from March 2022.

According to NCC Group, which compiled a report based on statistics derived from its observations, the reason last month broke all records for ransomware attacks was CVE-2023-0669.

This is a vulnerability in Fortra’s GoAnywhere MFT secure file transfer tool that the Clop ransomware gang operated as a zero-day steal data from 130 companies within ten days.

March 2023 activity continues the upward trend seen by NCC Group since the beginning of the year (January and February), with the highest number of hacking and data breach incidents recorded in the last three years.

Activity peaks

Clop carried out 129 recorded attacks last month, topping the NCC Group’s chart with the most active ransomware gangs for the first time in its operational history.

Clop’s CVE-2023-0669 mining spree moved LockBit 3.0, which had 97 recorded attacks, into second place for the second time since September 2021.

Other ransomware groups that had relatively high activity in March 2023 are Royal ransomware, BlackCat (ALPHV), Bianlian, Play, Blackbasta, Stormous, Medusa, and Ransomhouse.

This isn’t the first time Clop has carried out a mass hack that propelled him to the top, as in early 2021 the ransomware group quickly amassed over 100 kills by taking advantage of a zero-day vulnerability in Accellion’s old File Transfer Application (FTA).

Target sectors

The most targeted sector in March 2023 was “industry”, receiving 147 ransomware attacks, representing 32% of recorded attacks.

This sector includes professional and business services, machinery, tools, construction, engineering, aerospace and defense, logistics, transportation services, etc.

In second place are “consumer cyclicals”, encompassing building materials, specialty retailers, hotels, automobiles, media and publishing, housewares, etc.

Other sectors that have received particular attention from ransomware gangs are “technology”, “healthcare”, “basic materials”, “finance” and “educational services”.

The three most active ransomware groups this month, namely Clop, LockBit and Royal, mainly targeted companies in the “Industrial” sector. Clop and LockBit have also directed a considerable part of their efforts towards the “Technology” sector.

Although these are the most targeted sectors, it is important to note that ransomware attacks are usually not targeted but rather opportunistic.

In terms of whereabouts of victims last month, nearly half of all attacks (221) affected entities in North America, Europe followed with 126 episodes, and Asia came third with 59 ransomware attacks.

The spike in activity recorded in March 2023 highlights the importance of applying security updates as soon as possible, mitigating potentially unknown security vulnerabilities like zero days by implementing additional measures and monitoring traffic network and logs to detect any suspicious activity.