In July 2023 [1] [3], ransomware attacks reached record levels [3], with the Cl0p group emerging as the most prolific threat actor. This article provides a detailed description of the attacks and their impact.


The Cl0p group exploited a zero-day vulnerability in the MOVEit file transfer service [2], compromising over 730 organizations [2], including Colorado State University and three major accounting firms [2]. They were responsible for one-third of all observed ransomware attacks, accounting for 171 out of the 502 attacks reported by NCC Group and 169 out of the 515 attacks reported by Flashpoint. This marks a 154% increase compared to the previous year and a 16% increase from the previous month [1].

The impact of their MOVEit attack is still being felt [2], with nearly 500 organizations and millions of individuals affected [1]. Global organizations such as the BBC, BA [3], Boots [3], and the government of Nova Scotia were targeted, compromising the data of millions of end users. Lockbit 3.0 was the second most active threat actor in July [3], responsible for 10% of the attacks [1] [3]. Industrial organizations were the primary targets [3], followed by consumer cyclicals and technology sectors [3]. Europe and Asia were also affected, in addition to the North America region.


The record levels of ransomware attacks in July highlight the evolving and pervasive nature of the global threat landscape [3]. Organizations must remain vigilant in protecting their own environments and the security protocols of their supply chain [2]. The downstream victims of the Cl0p group’s attacks in sensitive industries are not yet fully known [2], emphasizing the need for continued mitigation efforts. It is worth noting that the zero-day vulnerability in MOVEit was disclosed and patched by Progress Software on May 31, underscoring the importance of timely software updates and security patches.