Ransomware Task Force finds 73% attack increase in 2023

The number of ransomware attacks increased by 73% between 2022 and 2023, according to new research by the Institute for Security and Technology's Ransomware Task Force.

RTF published its "2023 Global Ransomware Incident Map" on Thursday, detailing alarming trends in the threat landscape. The report includes data from eCrime.ch, which tracks ransomware as a service (RaaS) gangs' public data leak sites that attackers use to pressure victims into paying a ransom.

Authors Taylor Grossman, deputy director for digital security at the Institute for Security and Technology, and Trevaughn Smith, a future of digital security associate at IST, warned that big game hunting -- where ransomware groups target one high-value organization to cause significant downstream effects -- was on the rise last year.

The RTF report also found that construction and healthcare organizations remained the most targeted sectors last year, with the LockBit and Clop ransomware gangs maintaining the topmost active threat group spots. In addition, the report noted data from Chainalysis, a blockchain analysis firm, that showed record-breaking ransomware payment amounts for 2023.

"In 2023, the data shows 6,670 ransomware incidents, a 73% year-over-year increase from 2022," Grossman and Smith wrote in the report.

Like other cybersecurity organizations, RTF attributed a temporary decrease in ransomware activity in 2022 to successful law enforcement actions and Russia's invasion of Ukraine, where threat actors in the regions were presumably less focused on ransomware and financially motivated attacks.

While 2023 marked a significant year for ransomware activity, the authors warned that the "fundamental criminal effectiveness of the RaaS model" will only become more profitable over time. RaaS enables less skilled cybercriminals to deploy ransomware attacks because affiliates can purchase the malware from developers. It also makes attribution more difficult because affiliates can work with more than one gang.

"This year's edition of the map continues to illustrate the persistent nature of many ransomware groups. However, the scale, frequency, and complexity of incidents continue to increase as cybercriminals refine the RaaS model," Grossman and Smith wrote.

RTF referred to LockBit as "the most 'stable' ransomware group last year," even though Clop's attacks against customers of Progress Software's MoveIt Transfer product led to a surge in ransomware activity. The report attributed LockBit's success last year to adaptability, among other factors.

"By continuously adapting their existing RaaS model to attract affiliates, leverage new vulnerabilities, and improve their malicious software, LockBit has been able to maintain this consistency where other ransomware groups have faltered," the report said.

LockBit was disrupted by a joint law enforcement operation in February that included two arrests of suspected gang members, as well as the seizure of servers, domains, cryptocurrency accounts and more than 1,000 decryption keys. While LockBit has attempted to resume operations, cybersecurity vendors have reported steep decreases in its activity this year.

However, RTF highlighted the 8Base ransomware gang as an example of a successful group that still relies on "traditional, relatively unsophisticated means," including phishing to gain access to a targeted organization. 8Base describes itself as a penetration testing company to victim organizations. It first created a public data leak site last year, even though the gang has been active longer, according to the report.

For victim organizations, the construction and healthcare industries continued to hold the top two spots worldwide. RTF tracked 231 incidents for construction, representing a 49% increase from 2022, and 177 incidents for hospitals and healthcare, which equates to a nearly 99% increase over the same period.

However, the number of incidents against financial services companies surged by 149%, and software development jumped by an alarming 332%.

"This finding suggests that while ransomware gangs are increasing the frequency of their attacks, their targets remain largely unchanged," the report said.

The report expanded on the threat against the healthcare sector. Grossman and Smith stated that hospitals "traditionally emphasized data confidentiality over data availability and continuity of care." But they warned that hospitals can't afford the downtime that encrypted systems cause, which makes them a "prime candidate for paying a ransom" to resume operations.

The report also broke down ransomware activity by country, but noted that many attacks go unreported, which could skew the data.

"The data shows ransomware incidents in 117 countries carried out by 66 ransomware groups. This is a slight increase from 2022, during which eCrime data reflected that 105 countries experienced attacks from 58 ransomware groups," the report said.

RTF's "2023 Global Ransomware Incident Map" follows similar reports from other companies, including one from Corvus Insurance, that highlighted massive increases in ransomware activity during 2023, which has continued into this year.