No single entity will ever know just how many ransomware incidents occur within a given year. Given the fact that many ransomware cases go unpublished and/or undocumented in the public eye, the true number of incidents that occur within a given timeframe can never be known. However, the ransomware actors themselves will often publish the names, industries, and other information about their victims on their data leak sites (DLSs). Though they do not publish all events, review of the aggregated numbers from ransomware actor-led DLSs provides a glimpse into just how big of a problem ransomware truly is these days.
In this article, we at SANS have gathered and reviewed information from a prominent threat intelligence group, “eCrime.ch: Threat and Risk Intelligence Services” (https://ecrime.ch/). All stats in this article come from the eCrime site, which is our preferred source for these numbers and provides solid telemetry for ransomware cases.
Ransomware Case Stats
From 2022 to 2023, we saw an increase of ransomware attacks at a rate of nearly +73%. In 2023, a total of 4,611 cases were reported. In 2022, this number was much lower at 2,662. This increase of well over 70% shows that whatever the royal "we" are doing in order to battle this scourge... simply isn't enough. Again, please note that the stats we are providing show the cases that were reported by the ransomware actors groups themselves.
The top 5 ransomware groups had a major impact on the increase of incidents from 2022 to 2023. The following stats show the increase in these top groups, indicating a major uptick in their efforts.
- LockBit 3.0 went from 393 cases (2022) to 1,038 (2023), an increase of 164%
- AlphVM went from 245 cases (2022) to 422 (2023), an increase of 72%
- CL0P went from 30 cases (2022) to 386 (2023), an increase of 1,186%
- PLAY went from 26 cases (2022) to 308 (2023), an increase of 1,084%
- BlackBasta went from 172 cases (2022) to 210, an increase of 22%
In addition to these well-known names, the top 5 groups that were new to the scene as of 2023 made an impact on the 2023 increase. Since these groups were new in 2023, they do not have 2022 reporting numbers.
- 8BASE reported 273 cases in 2023
- Akira reported 172 cases in 2023
- Medusa reported 145 cases in 2023
- NoEscape reported 123 cases in 2023
- Cactus reported 83 cases in 2023
These top 5 new groups claimed a total of 796 ransomware incidents in 2023. Of the total 4,611 incidents reported, this means that 17% of all cases were perpetrated by a group that did not exist in 2022. This is just one example that shows how newly-formed groups are causing an impact.
Sectors Impacted
The top 10 industries impacted in 2023 all experienced increases from their numbers in the previous 2022 year. The following stats paint a morbid picture of just how much these industries have had to deal with ransomware attacks.
Sector | 2022 | Change | 2023 |
Construction | 153 | +77 (50%) | 230 |
Hospitals and Health Care | 89 | +86 (96%) | 175 |
IT Services and IT Consulting | 74 | +89 (120%) | 163 |
Financial Services | 58 | +89 (153%) | 147 |
Law Practice | 67 | +76 (113%) | 143 |
Higher Education | 56 | +62 (110%) | 118 |
Government Administration | 80 | +37 (46%) | 117 |
Real Estate | 52 | +51 (98%) | 103 |
Software Development | 22 | +73 (331%) | 95 |
Retail | 44 | +45 (102%) | 89 |
As you can see, Construction; Hospitals and Health Care; and IT Services and IT Consulting were the top 3 most impacted sectors. Though the exact reasons why these sectors were targeted the most are unknown, this article’s author has opinions. First, many construction companies push hard to set up new projects. Newly-invigorated projects sometimes requires the immediate setup of IT resources. Often times, “security 101” principles are forgotten, as the rush to beat the competition for a bid, such as on engineering, procurement, and/or physical construction, can blur the line between a swift project instantiation and a security-bolstered operating environment.
Second, hospitals and health care are believed to be targeted because of the immediacy brought about in terms of potential ransom payments. When human lives are potentially at risk, the thought of paying a ransom can seem more enticing. Let’s not forget that the very first version of ransomware ever to inflict the masses, the AIDS Trojan (a.k.a. The PC Cyborg Trojan), impacted the health care industry.
Finally, IT Services and Consulting organizations often deploy a plethora of tech within their networks. The greater number of high-tech applications and services deployed, the greater the threat landscape. It is totally possible, and again this is theoretical, that the larger threat landscape leads to a higher probability that a software exploit will be available due to unpatched applications and/or appliances. As software vulnerabilities continue to rise as a top infection vector for ransomware, the multitude of services utilized in this sector may lead to the increase in cases they see.
Final Thoughts
As we move further into 2024, we must be cautious (maybe even fearful!) of ransomware cases increasing even more than in previous years. Though governments around the world are taking more interest in the worldwide threat, we can see from the increase of cases that our actions have not been enough to thwart the ransomware threat. As new groups continue to form, former groups continue to evolve into new brands, and the big players continue to ramp up their efforts, we must remain vigilant and focus on our preparation and early detection capabilities.
If you or your organization would like to bolster your environment(s), we invite you to check out the upcoming SANS Ransomware and Cyber Extortion poster. This poster releases at the SANS CTI Summit event in late January/early February 2024. You can learn more about this free resource at https://sans.org/posters -- Upon release, you will be able to download the poster for free at this link.
