Skip to content Skip to footer

2023 Ransomware Review

Last year was challenging for many organizations, as they faced various attacks that caused significant damage. As we begin 2024, the first victims of attacks have already been reported, making it clear that this threat is not going away anytime soon. To understand what happened in 2023 and prepare for the year ahead, let's examine the stats on attacks from the previous year. In this blog post, we'll explore the different dimensions of attacks observed in 2023, providing insights and looking ahead to what 2024 might bring. Our analysis draws on publicly available data, such as posts from groups and incident data from our MDR team, enriched with context from the data gathered in Rapid7 Labs.

Most groups have leak sites where they announce their victims. These sites are a way to pressure victims to pay the ransom, as the groups threaten to leak the compromised data if the payment is not made. The frequency of posts on these sites can indicate which groups are active, but the landscape is more complex than that. In 2023, the number of unique families used by these groups decreased by over half, from 95 in 2022 to 43 in 2023. This suggests that the current families and models are working well and profitable, and there is no need to develop something new.

Our sources revealed nearly 5200 reported cases in 2023. Still, this number is likely underestimated, as many attacks were unreported. Security consulting firm Coveware found that the average ransom payment for Q3 2023 was USD 850,700. This amount only covers the ransom payment itself. The costs of recovering from a incident can be much higher, including downtime, damage to reputation, lost business, labor hours, increased insurance coverage costs, legal counseling, and settlement fees. Shockingly, 41% of victims opted to pay the ransom.

The scatter plot below shows the number of ransomware incidents attributed to the top 20 ransomware groups in 2023 based on leak site communications, public disclosures, and Rapid7 incident response data. Zooming in on the most active groups, we identified the top 5: Alphv (aka BlackCat ransomware), BianLian, Cl0P, Lockbit(3), and Play. These groups are supported by a large ecosystem of initial access brokers. The polar-bar chart below visualizes these groups' frequency of postings per month on their leak sites.

Rapid7 Labs analyzed the 2023 ransomware attacks using data from both external and internal reports. We compared the attacks' modus operandi and mapped them against the MITRE ATT&CK model. The following diagram depicts the results, effectively encapsulating the common patterns and methodologies observed in most ransomware attacks. It outlines the steps typically followed by attackers, from initial breach to final ransom demand. Exploiting a public-facing application and having a valid account were the top initial attack vectors used in ransomware-focused attacks in 2023.

In 2023, several ransomware groups ceased their operations or underwent significant transformations. Hive ransomware started the year with its disruption in January. BlackByte, which briefly reappeared with a new white logo, went offline for the last two months of 2023. Royal ransomware rebranded itself as Black Suit, as evidenced by the matching binaries. They removed their victim portal and posted more on their Black Suit leak site. Vice Society became inactive for over three months, taking down their primary and backup leak sites. NoEscape, previously known as Avaddon, executed an exit scam, further indicating ransomware groups' volatile and shifting landscape in 2023. An “exit scam” is a fraudulent scheme where a business or individual collects funds or assets from customers or investors and then suddenly ceases operations, disappearing with the managed funds.

2024, we expect the top 5 groups mentioned earlier to remain active. Still, new groups surfaced in 2023 that are worth watching. These include Cactus, Rhysida, 8base, Hunters International, Akira, and the recently emerged Werewolves group.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

There is no right and wrong. There's only fun and boring.The Plague

Deitasoft © 2024. All Rights Reserved.