The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Welcome to the second installment of the quarterly Ransomware report from CyberMaxx. This time we’re looking at data from April 1st and June 30th, 2023.

Here’s What We’re Seeing

Ransomware attacks are up significantly this quarter, up a total of 26% in volume over Q1, totaling in at 1147 attacks in Q2. Lockbit again our number one threat group with 246 of these attacks, or a little bit over 21% of the total volume.

Cl0p have weaponized the latest vulnerability in MOVEit, deploying ransomware on mass. They exploited hundreds of vulnerable machines running the affected versions, which ultimately affected over 200 individual organizations. The volume of affected organizations was so great, in fact, that the group actually had to stop reaching out to individuals and instead direct everyone to the release page for further instructions.

Cl0p is still working through this backlog of their affected orgs, so not all attacks have been taken credit for which are included in this report. Although it does appear to be widespread, affecting organizations like the BBC, the Discovery Channel and the US Department of Energy.


We are seeing groups continue to be opportunistic and make use of vulnerabilities to scale their operations. Ransomware activity is often closely aligned with vulnerability discovery, whether publicly disclosed or purchased on markets. This then has a direct correlation with the number of attacks that we observe in the wild, which affects organizations either directly or further downstream in the event of an attack on their supply chain.

Based on this, we do expect to see a similar number of attacks in Q3, somewhere around 1000 successful attacks again. Although this may increase if additional critical vulnerabilities in popular software are also brought to light, similar to MOVEit.

Cl0p is still working through their backlog, so they will likely have a large number of attacks attributed to them, again potentially larger than they have had this quarter.

To get the full depth of insights, download the Q2 Ransomware Research Report today.