Victims of ransomware leak sites hit record high in November


After a quieter October, ransomware groups appeared to return with a vengeance in November, with the highest number of victims recorded on record, according to Corvus Insurance.

In a report released on December 18, 2023, Corvus Threat Intel observed 484 new ransomware victims posted to leak sites in November.

This represents an increase of 39.08% compared to October and an increase of 110.43% compared to November 2022.

Source: Corvus Insurance
Source: Corvus Insurance

This is the eleventh consecutive month of year-over-year increases in ransomware victims and the ninth consecutive month with a victim count above 300. It is also the third time such a record is broken this year.

However, while the previous two 2023 records were mainly attributed to MOVEit Supply Chain Attackthis was not the case in November.

A spike in LockBit activity induced by CitrixBleed

According to Corvus data, the November spike was partly due to a resurgence in LockBit activity.

Source: Corvus Insurance
Source: Corvus Insurance

November was LockBit’s third highest month of 2023 in terms of recorded victims (121) after a quieter fall.

Source: Corvus Insurance
Source: Corvus Insurance

If the first two spikes were due to affiliates returning to work after winter or summer vacations, Corvus threat intelligence analysts estimated that November’s increase could be attributed to CitrixBleed vulnerability“which would have become a new essential of the group”.

Read more: LockBit Affiliates Exploit Citrix Bleed, Government Agencies Warn

Could QakBot’s resurgence mean a new record this winter?

Based on historical seasonal data, the Corvus Threat Intel team predicted that the number of victims of ransomware leak sites listed in December will be higher than in December 2022, but will likely not match November’s numbers.

“We expect a decrease in January as the humans behind ransomware attacks take some time off” the researchers added.

Finally, Corvus observed that although removing QakBot malware loader (aka QBot) by law enforcement in August impacted ransomware groups. This new resurgence in victim lists showed that “the ransomware ecosystem has successfully moved away from QBot.”

The fact that cybersecurity companies are now observing a return of QakBot could potentially impact Corvus predictions in the near future.

Read more: FBI takedown of QakBot raises questions: ‘Dismantled’ or just a temporary setback?

Leave a comment