{
	"id": "3eea4f13-bd75-4847-bdef-50da7caf8c54",
	"created_at": "2026-04-06T00:17:39.826021Z",
	"updated_at": "2026-04-10T03:30:33.240196Z",
	"deleted_at": null,
	"sha1_hash": "3141e9c74c5c86e8a290f65cc0cd897d797f0537",
	"title": "March 2023 broke ransomware attack records with 459 incidents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2629575,
	"plain_text": "March 2023 broke ransomware attack records with 459 incidents\r\nBy Bill Toulas\r\nPublished: 2023-04-19 · Archived: 2026-04-05 20:16:12 UTC\r\nMarch 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an\r\nincrease of 91% from the previous month and 62% compared to March 2022.\r\nAccording to NCC Group, which compiled a report based on statistics derived from its observations, the reason last month\r\nbroke all ransomware attack records was CVE-2023-0669.\r\nThis is a vulnerability in Fortra's GoAnywhere MFT secure file transfer tool that the Clop ransomware gang exploited as a\r\nzero-day to steal data from 130 companies within ten days.\r\nhttps://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nMarch 2023 activity continues the upward trend observed by NCC Group since the start of the year (January and February),\r\nwith the highest number of hack and data leak incidents recorded in the past three years.\r\nMonthly ransomware attack graph, dark blue: 2022, light blue: 2023 (NCC Group)\r\nActivity spikes\r\nClop performed 129 recorded attacks last month, topping NCC Group's graph with the most active ransomware gangs for\r\nthe first time in its operational history.\r\nClop's CVE-2023-0669 exploitation spree displaced LockBit 3.0, which had 97 recorded attacks, to second place for the\r\nsecond time since September 2021.\r\nOther ransomware groups that had relatively significant activity during March 2023 are Royal ransomware, BlackCat\r\n(ALPHV), Bianlian, Play, Blackbasta, Stormous, Medusa, and Ransomhouse.\r\nThreat actors with the most attacks last month (NCC Group)\r\nThis is not the first time Clop has performed a mass hack that propelled it to the top, as in early 2021, the ransomware group\r\nquickly amassed over 100 victims leveraging a zero-day vulnerability in Accellion's legacy File Transfer Appliance (FTA).\r\nhttps://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nPage 3 of 6\n\nClop ransomware activity spike (NCC Group)\r\nTargeted sectors\r\nThe most targeted sector in March 2023 was \"Industrials,\" receiving 147 ransomware attacks, accounting for 32% of the\r\nrecorded attacks.\r\nThis sector includes professional and commercial services, machinery, tools, construction, engineering, aerospace \u0026\r\ndefense, logistics, transport services, and more.\r\nMost targeted sectors by ransomware actors (NCC Group)\r\nIn second place are \"Consumer Cyclicals,\" encompassing construction supplies, specialty retailers, hotels, automobiles,\r\nmedia \u0026 publishing, household goods, etc.\r\nOther sectors that received significant attention from ransomware gangs are \"Technology,\" \"Healthcare,\" \"Basic Materials,\"\r\n\"Financials,\" and \"Educational Services.\"\r\nThis month's three most active ransomware groups, namely Clop, LockBit, and Royal, primarily targeted companies within\r\nthe \"Industrials\" sector. Clop and LockBit also directed a considerable amount of their efforts toward the \"Technology\"\r\nsector.\r\nWhile these may be the most targeted sectors, it is important to note that ransomware attacks are usually not targeted but\r\nrather opportunistic.\r\nhttps://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nPage 4 of 6\n\nRegarding the location of last month's victims, almost half of all attacks (221) breached entities in North America, Europe\r\nfollowed with 126 episodes, and Asia came third with 59 ransomware attacks.\r\nLocation of ransomware victims (NCC Group)\r\nThe recorded activity spike in March 2023 highlights the importance of applying security updates as soon as possible,\r\nmitigating potentially unknown security gaps like zero days by implementing additional measures and monitoring network\r\ntraffic and logs for suspicious activity.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nPage 5 of 6\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nhttps://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/"
	],
	"report_names": [
		"march-2023-broke-ransomware-attack-records-with-459-incidents"
	],
	"threat_actors": [
		{
			"id": "921cea27-4410-42e4-8c11-7d40ba313225",
			"created_at": "2023-01-06T13:46:39.375789Z",
			"updated_at": "2026-04-10T02:00:03.307063Z",
			"deleted_at": null,
			"main_name": "RansomHouse",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHouse",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3141e9c74c5c86e8a290f65cc0cd897d797f0537.pdf",
		"text": "https://archive.orkl.eu/3141e9c74c5c86e8a290f65cc0cd897d797f0537.txt",
		"img": "https://archive.orkl.eu/3141e9c74c5c86e8a290f65cc0cd897d797f0537.jpg"
	}
}