The 2023 Ransomware Year In Review

Ransomware attacks unfortunately grew significantly in 2023. Some estimates claim infections rose by more than 95 percent. Based on how the year began, that should prove no surprise. 

With just two months remaining in the year, Corvus Insurance noted the number of ransomware victims in 2023 surpassed those from previous years and was on track to exceed 4,000, up from 2,670 the year before. A December 2023 report by cyber protection provider Malwarebytes confirmed ransomware activity continued at a worrying pace late in the year when it reported ransomware actors were most active in November with the only month exceeding the month’s activity being May. 

Who or What is Responsible for the rise in ransomware activity?

Corvus Insurance claims two factors fueled the year’s ransomware infections. The first is the CL0P ransomware group that began the year exploiting a GoAnywhere file transfer application weakness and later launched widespread attacks targeting the widespread MOVEit vulnerability. The second is malicious hackers continued attacking throughout the summer, whereas previous years typically experienced declines during that season. 

BlackCat (also known by the names ALPHV and Noberus) and Black Basta, too, were among active ransomware groups producing eponymous variants. The BlackCat ransomware family of infectious software is written in Rust, the programming language malicious hackers often favor due to its memory management features and efficiency. Black Basta, like BlackCat, is a criminal group that also operates a Ransomware-as-a-Service (RaaS) operation and often engages in double extortion attacks in which victims’ files are both extracted and corrupted. Unless a ransom is paid, the cybercriminals do not provide a decryption key necessary to recover the corrupted files and the malicious actors also post the victim’s private information to public Internet sites. 

Another malicious group active in 2023 was LockBit. The ransomware threat actor, which also functions as a RaaS and reportedly possesses Russian-speaking members who claim the organization is located in the Netherlands, attacks organizations of all sizes. Similar to many others, the criminal group also works with affiliates to which it sells and supports the use of its ransomware variants. According to Malwarebytes’ December 2023 report, other organizations responsible for ransomware attacks in 2023 include 8BASE, NoEscape and Akira. 

Who did criminal actors victimize?

Midway through the year Statista reported the media, leisure and entertainment industry suffered the most vulnerabilities exploited using ransomware infections. Organizations operating in critical industries, such as educational institutions, government agencies and healthcare providers, were also particularly affected by ransomware (including the MOVEit transfer attacks) throughout 2023. 

Later in the year, LockBit disrupted financial operations in multiple countries. In addition to corrupting files from the giant Industrial and Commercial Bank of China LTD (ICBC), China’s largest bank, the criminal group’s actions also reportedly delayed US Treasury financial transactions. 

There were so many ransomware victims throughout the year they can’t all reasonably be listed. A sample of prominent organizations known to have fallen victim to ransomware attacks in 2023, however, includes the UK’s Royal Mail, Ministry of Defence and British Library, as well as multinational concerns Boeing and Shimano. Other ransomware victims in 2023 included the City of Dallas, Caesars Entertainment, MGM Resorts, Toyota, Minneapolis Public Schools and even the US Marshals Service, to name just a few more. 

How did cybercriminals infect victims?

According to Statista, the exploitation of existing vulnerabilities was the primary method hackers used to penetrate organizations. The next most common methods were the use of compromised credentials and malicious email messages. 

Phishing messages—in which malicious actors send a fraudulent email message to an intended victim with the goal of tricking the target into sharing sensitive information or inadvertently installing malicious software on behalf of the bad actor— and malware—essentially infected files often included within email messages and posted to web sites—are also prominent ransomware attack methods. Brute force attacks against servers and stolen credentials are yet two more leading strategies. 

How much did ransomware infections cost?

Statista noted that, in the year’s second quarter, 34 percent of ransomware attacks resulted in a ransom payment. The data collection and visualization company also revealed the average ransom amount it tracked more than doubled from the previous quarter to surpass $740K. 

While ransomware statistics vary widely depending upon the source, study methodology and numerous other factors, the figures are typically discouraging. The Sophos’ State of Ransomware 2023 report published earlier in the year, for example, notes 66 percent of organizations were struck by ransomware within the last year, 76 percent of those attacks resulted in data becoming encrypted and the average (mean) ransom actually totaled $1.54 million, far higher than Statista’s estimate. Worse, Sophos said the mean recovery cost, minus any ransom payment (an expense sometimes covered by cybersecurity insurance depending upon the plan, coverage and incident), reached $1.82 million. 

How can your organization best protect itself?

While the details of a proper ransomware protection strategy are beyond the scope of this year-in-review article, there are several elements all organizations should ensure they implement.  Experts continually recommend organizations take the following steps to protect their systems, data and operations: 

  1. Install and configure capable antimalware programs to automatically conduct regular scans and generate automated alerts. 
  2. Implement strong anti-spam filters to help prevent phishing messages from reaching users. 
  3. Filter network traffic using business-grade firewalls to help prevent malicious traffic from entering networks. 
  4. Continually update operating systems, software applications and hardware firmware to block known vulnerabilities. 
  5. Require multifactor authentication on all systems offering MFA or two-factor authentication. 

Educating users as to proper computing behaviors is also important. Subsequently, security awareness training is another component organizations of all sizes can implement to better protect against ransomware infections and subsequent disruptions. 

One thing’s for sure. Widespread breaches reinforce the importance of observing cybersecurity fundamentals.