This research article aims to provide a comprehensive overview of ransomware group activity throughout the year 2023. With the help of the new Cybernews tool, Ransomlooker, we’ve meticulously tracked and analyzed incidents involving ransomware, shedding light on trends and the impact on businesses across various sectors.
Using the tool, we monitored details such as the types and quantity of victims targeted by ransomware groups. This included comprehensive details about the victims, encompassing company revenues, countries, industries, and additional relevant information. The data provided in this report has been collected up to December 19th, 2023.
It is crucial to note, however, that although the aggregated additional victim data may contain minor inaccuracies, the overall depiction is accurate.
In 2023, the ransomware groups that we tracked claimed that they successfully targeted a total of 4191 victims, signifying an exceptional year of cyber threats. This figure represents a significant increase of 128.17% compared to the previous year (2022), with 1837 additional incidents. Moreover, when contrasted with 2021, the rise is 57.61% in terms of the total number of victims (2659), and compared to 2020, the increase stands at 220.67% in terms of the total count (1307).
In 2023, a total of 66 active ransomware groups were identified and operating within the digital landscape. The first figure presents the top 10 among them based on the number of victims. These highlighted groups collectively account for 59% of the total victims in 2023.
LockBit maintained its position at the top for the second consecutive year. The group claimed responsibility for the highest number of victims, with 1009 incidents constituting nearly a quarter of all ransomware victims in 2023. This group primarily focused its attacks on the construction, manufacturing/industrial, and retail industries.
The Cl0p ransomware group demonstrated a considerable impact on victims as well, which was closely linked to its role as one of the main groups exploiting the widely recognized zero-day MOVEit cyberattacks. The group primarily targeted sectors including insurance, banking, other financial services, and education.
When we looked at the year 2023 month by month and analyzed when ransomware attacks happened the most, we noticed a trend. More attacks occurred in spring and summer, with 1253 and 1275 victims, compared to winter and autumn, which had 611 and 1052 incidents, respectively. Winter seems to have been the least active time (14.6% of attacks in 2023), while summer stood out as the most active period for ransomware attacks (30.4%).
In the year 2023, 33 newly formed or rebranded ransomware groups surfaced on the cybersecurity scene, constituting half of the total active groups for the year. Cumulatively, these ransomware groups documented 978 victims, comprising nearly a quarter of the total victims in 2023. The highest number of successful ransomware attacks among the recent additions were Akira, Medusa Blog, and NoEscape, with victim counts of 169, 137, and 133, respectively.
According to the data that Ransomlooker provided, there were an average of around 11.5 successful ransomware attacks per day in 2023. This translates to an average of approximately one successful ransomware attack claim against a company every two hours.
Metrics by industry
According to data from Ransomlooker, the top 10 industries targeted by ransomware groups in 2023 were: IT services and IT consulting, construction, manufacturing and industrial, retail, hospitals and health care, insurance, law practice, real estate, software development, and machinery manufacturing.
Our data shows a shift in ransomware targets over the past three years. Previously dominated by the construction industry, the IT sector now claims the top spot in 2023.
This shift aligns with the dominating technological era, where IT companies, with their advanced capabilities and financial strength, become prime targets. The trend underscores the urgency for heightened cybersecurity measures within the IT industry to counter evolving threats effectively.
In the IT service and consulting sector, Stanford University, Volt, and CoinBase were reportedly identified by the Ransomlooker tool as the top companies targeted by ransomware gangs based on their annual revenue in 2023.
A concerning trend on the rise is the heightened success of ransomware attacks targeting the healthcare industry. Given the sensitivity of health-related data and its direct impact on patient well-being, it’s essential to enhance the cybersecurity measures governing the digital infrastructure of clinics, hospitals, and other healthcare facilities. Safeguarding patient information and ensuring the uninterrupted functioning of medical services should be at the forefront of efforts to counteract the escalating threat of ransomware attacks in this critical industry.
This year, among the leading healthcare companies in terms of annual revenue, Lehigh Valley Health Network, Tampa General Hospital, and Barts Health NHS Trust were targeted in cyberattacks by ransomware criminals.
It’s also noticeable that the manufacturing and industrial sector has consistently ranked among the top three industries targeted by ransomware over the past three years.
This persistence indicates that ransomware attackers specifically target the financial strength of manufacturing companies, making them appealing targets. This sector is also susceptible to supply-chain attacks, where not only the main company but also its connected network, including suppliers, distributors, and partners, can be targeted.
An example is the aforementioned MOVEit supply-chain attack, where the compromise of one file transfer software affected a significant number of companies relying on it. This underscores the urgency for the manufacturing sector to adopt robust cybersecurity measures to safeguard critical infrastructure against evolving threats.
Diving deeper into the industries that have been successfully targeted in 2023, the next figure highlights the top 10 companies based on their annual revenue. While their specialties vary significantly, a majority are associated with electronics, energy, business services, and insurance sectors, with some outliers from healthcare and airlines.
Leading the list in terms of annual revenue in 2023 is the well-known brand Sony, with an impressive annual revenue of nearly $900 billion. United Healthcare is in second place with an annual revenue of $300 billion, further affirming the earlier highlighted trend of heightened risks within the healthcare industry. The third position goes to Energy Transfer, one of North America's largest energy companies.
The combined annual revenue of just these top 10 companies exceeded $1.5 trillion in 2023. Comparing this figure with the top companies and their revenues from previous years reveals an increase of 7-10 times.
In general, ransom demands are often determined as a percentage of a company's yearly income, and the impact of the attack is measured through the estimated downtime that it causes. For instance, if we consider 1% of revenue as a potential ransom demand calculation, the total ransom demand from just these 10 companies in 2023 could have reached $15 billion.
In contrast, the potential amount for the previous year was around $2.8 billion. This means that, as a strategy, ransomware groups find it more effective to target bigger companies with greater financial resources. The observed increase in targeting victims with larger annual revenues suggests a potential trend, indicating that ransomware groups may have heightened confidence in their abilities to target larger corporations.
Metrics by country
In our analysis of Ransomlooker data on the most targeted countries over the past four years, a consistent pattern is seen, with the same top five countries featuring heavily: the United States, United Kingdom, Canada, Germany, and France.
Notably, the US consistently takes the first position, significantly surpassing other countries, with a victim count sometimes nearly ten times greater than the second-ranked country. While this trend can be attributed to the size of the US and a greater number of companies that are potential ransomware victims, the persistent presence of the same top five countries underlines the unsurprising focus of cybercriminals on Tier 1 nations with substantial capital and strong financial standings.
Other economically and technologically advanced countries consistently maintaining a presence in the top ten include Italy, Australia, and Spain. This observation is unsurprising given similar reasons as those influencing the aforementioned top five.
What is more unexpected is the continued inclusion of India and Brazil on the list despite their less progressive economies. However, this correlation aligns with their comparatively limited ability to invest in advanced cybersecurity practices and greater susceptibility to successful ransom attacks. The sheer size of these countries and their underdeveloped digital security infrastructure make them appealing and easily exploitable targets.
Looking closely at the United States, which is consistently the main target for ransomware attacks, we studied how these incidents were spread across different states.
In 2023 alone, there were 1323 ransomware attacks in the US. The top five states with the highest attack numbers were California (12.2% of attacks), Texas (9.5%), Illinois (5.4%), New York (5.2%) and Florida (4.3%).
More from Cybernews:
Subscribe to our newsletter