Getty Images/iStockphoto

Ransomware Task Force finds 73% attack increase in 2023

The Institute for Security and Technology's Ransomware Task Force says a shift to big game hunting tactics led to a significant rise in attacks last year.

The number of ransomware attacks increased by 73% between 2022 and 2023, according to new research by the Institute for Security and Technology's Ransomware Task Force.

RTF published its "2023 Global Ransomware Incident Map" on Thursday, detailing alarming trends in the threat landscape. The report includes data from eCrime.ch, which tracks ransomware as a service (RaaS) gangs' public data leak sites that attackers use to pressure victims into paying a ransom.

Authors Taylor Grossman, deputy director for digital security at the Institute for Security and Technology, and Trevaughn Smith, a future of digital security associate at IST, warned that big game hunting -- where ransomware groups target one high-value organization to cause significant downstream effects -- was on the rise last year.

The RTF report also found that construction and healthcare organizations remained the most targeted sectors last year, with the LockBit and Clop ransomware gangs maintaining the topmost active threat group spots. In addition, the report noted data from Chainalysis, a blockchain analysis firm, that showed record-breaking ransomware payment amounts for 2023.

"In 2023, the data shows 6,670 ransomware incidents, a 73% year-over-year increase from 2022," Grossman and Smith wrote in the report.

Like other cybersecurity organizations, RTF attributed a temporary decrease in ransomware activity in 2022 to successful law enforcement actions and Russia's invasion of Ukraine, where threat actors in the regions were presumably less focused on ransomware and financially motivated attacks.

While 2023 marked a significant year for ransomware activity, the authors warned that the "fundamental criminal effectiveness of the RaaS model" will only become more profitable over time. RaaS enables less skilled cybercriminals to deploy ransomware attacks because affiliates can purchase the malware from developers. It also makes attribution more difficult because affiliates can work with more than one gang.

"This year's edition of the map continues to illustrate the persistent nature of many ransomware groups. However, the scale, frequency, and complexity of incidents continue to increase as cybercriminals refine the RaaS model," Grossman and Smith wrote.

RTF referred to LockBit as "the most 'stable' ransomware group last year," even though Clop's attacks against customers of Progress Software's MoveIt Transfer product led to a surge in ransomware activity. The report attributed LockBit's success last year to adaptability, among other factors.

"By continuously adapting their existing RaaS model to attract affiliates, leverage new vulnerabilities, and improve their malicious software, LockBit has been able to maintain this consistency where other ransomware groups have faltered," the report said.

LockBit was disrupted by a joint law enforcement operation in February that included two arrests of suspected gang members, as well as the seizure of servers, domains, cryptocurrency accounts and more than 1,000 decryption keys. While LockBit has attempted to resume operations, cybersecurity vendors have reported steep decreases in its activity this year.

However, RTF highlighted the 8Base ransomware gang as an example of a successful group that still relies on "traditional, relatively unsophisticated means," including phishing to gain access to a targeted organization. 8Base describes itself as a penetration testing company to victim organizations. It first created a public data leak site last year, even though the gang has been active longer, according to the report.

For victim organizations, the construction and healthcare industries continued to hold the top two spots worldwide. RTF tracked 231 incidents for construction, representing a 49% increase from 2022, and 177 incidents for hospitals and healthcare, which equates to a nearly 99% increase over the same period.

However, the number of incidents against financial services companies surged by 149%, and software development jumped by an alarming 332%.

"This finding suggests that while ransomware gangs are increasing the frequency of their attacks, their targets remain largely unchanged," the report said.

The report expanded on the threat against the healthcare sector. Grossman and Smith stated that hospitals "traditionally emphasized data confidentiality over data availability and continuity of care." But they warned that hospitals can't afford the downtime that encrypted systems cause, which makes them a "prime candidate for paying a ransom" to resume operations.

The report also broke down ransomware activity by country, but noted that many attacks go unreported, which could skew the data.

"The data shows ransomware incidents in 117 countries carried out by 66 ransomware groups. This is a slight increase from 2022, during which eCrime data reflected that 105 countries experienced attacks from 58 ransomware groups," the report said.

RTF's "2023 Global Ransomware Incident Map" follows similar reports from other companies, including one from Corvus Insurance, that highlighted massive increases in ransomware activity during 2023, which has continued into this year.

Chart showing global ransomware incidents for January through December 2023.
The Ransomware Task Force published data on ransomware trends observed between 2022 and 2023.

LockBit's effect on the 2024 landscape

While the RTF report focused on threat activity in 2023, the authors warned that some trends have likely carried over to this year. "As we enter the final three months of 2024, we anticipate an increase in 'big game hunting' tactics by ransomware groups -- most notably CL0P -- as cyber criminals adapt and create new ways to further extort ransomware victims," the report said.

Grossman told TechTarget Editorial that during big game hunting attacks, ransomware operators commonly target remote access applications. She also addressed the shift from encrypting networks to threat actors relying solely on data theft and extortion attacks like Clop's MoveIt Transfer campaign. Grossman said the shift might illustrate how organizations are becoming better about backing up data, which enables them to recover more quickly from traditional ransomware attacks.

While data theft attacks and increasingly brazen extortion tactics have proven to be successful, Grossman said RTF still observes a lot of profitability when ransomware gangs use standard techniques like phishing and business email compromise.

She also stressed that the numbers in the report are likely much lower due to unreported attacks. "One of the big focuses of our work in general is highlighting the suboptimal information ecosystem that we have here," Grossman said. "I think we're seeing [this lack of transparency addressed] here in the U.S. with the passing of CIRCIA [Cyber Incident Reporting for Critical Infrastructure Act] and trying to institute more robust reporting mechanisms."

Grossman said the International Counter Ransomware Initiative, which is a U.S.-led initiative launched in 2021, is important to combat the increasing success of the RaaS model. She stressed that it's important to focus on ransomware as a specific threat, and to start investing more heavily in response efforts and increased reporting to get a more accurate picture of how prevalent the threat is.

While it's difficult to say whether ransomware activity is on track this year to match the 73% increase in 2023, Grossman said the threat clearly continues to cause problems for victim organizations. She noted law enforcement actions taken against LockBit earlier this year as one aspect that could have a big effect on 2024's numbers.

"LockBit's been a really stable group in terms of churning out attacks and consistently being one of the most prolific ransomware actors. There's a lot of different discussions and debate happening within ransomware researchers about that kind of takedown, and the overall efficacy of law enforcement takedowns, and how that leads to groups just regrouping or rebranding," she said. "Are these takedowns actually able to really disrupt trust within the ransomware-as-a-service community? We are definitely going to pay attention to that."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Next Steps

'Defunct' DOJ ransomware task force raises questions, concerns

Dig Deeper on Threat detection and response