BlackFog has been recording publicly disclosed ransomware attacks since 2020, and in 2023 we also began recording the number of undisclosed attacks, those that are listed on the data leak sites and dark web by the attackers. The 2023 ransomware attack report summarizes the key findings from 2023 compared to previous years.
2023 was a watershed moment for ransomware, one that saw records broken in 11 of the 12 months over the previous years since 2020. In fact, 2023 saw a massive 68% in the number of attacks over 2022 (our previous record), with a total of 630 ransomware attacks.
We note that it only took the first 9 months of the year for 2023 to eclipse the entirety of attacks of 2022. The largest month on record was November with a total of 89 attacks followed by December and September, both with 70.
Most notable during 2023 was the continued increase in the level of data exfiltration, which finished the year at 91%. Virtually all attacks and variants do not focus on encryption at all. Extortion is the key goal of virtually all attacks and is ultimately the key leverage used against victims. Some gangs are even utilizing new regulations from the SEC to report the attack themselves and force the victims to pay.
While we have no comparison for undisclosed attacks from 2022, we witnessed a bit of a roller coaster ride when calculating the ratio of unreported to reported attacks last year. We saw this finally settle at 5 times the number of reported attacks, significantly down from 14 times in the first quarter of the year. We attribute this to a number of regulatory changes that are forcing public companies to disclose attacks. There is also some realization that trying to hide an attack can cause more damage than it’s worth from a reputational and liability perspective.
Geography
The USA, UK, Canada, and Australia were the top 4 targets of 2023 with 55%, 8%, 4% and 3% respectively for a total of 70% of all publicly disclosed attacks. This was 7% higher overall than the top 4 in 2022, but most notably there was a 9% increase in attacks on the USA. The other countries showed no significant changes from 2022.
For the first time ever, more than 1 in every 2 victims were in the USA. This year we also saw data exfiltration to China increase to 29% (2% increase) of all attacks, followed by Russia with 9% (8% decrease). The impact of sanctions and several high-profile takedowns by coordinated governments helped decrease the number and extent of Russian gangs through 2023. The void is being increasingly filled by China which saw large gains last year.
Organizational
In 2023 we saw the healthcare sector dominate the number of attacks with a massive 138% increase over 2022, representing 21% of all attacks. This was followed by education and government with 70% and 57% increases respectively from 2022, rounding out the top 3 sectors. This was followed by the manufacturing and technology sectors with 76% and 46% increases respectively from 2022.
We also saw a large decrease in the size of targeted organizations with an average of 6,918 employees, a 285% decrease from 2022. This highlights a general trend we saw in 2023 with the increased targeting of small to medium size organizations.
Variants
The top ransomware variants of 2023 were LockBit (19.2%), BlackCat (18.4%), Medusa (5.5%) and Play (4.6%). Notably, LockBit and BlackCat now represent 38% of all attack variants and were up 3.5% and 5.4% respectively over 2022. This increase in both is particularly significant when we consider the overall volume of attacks, representing increases of 149% for LockBit and 186% for BlackCat over 2022.
We also witnessed several trends throughout 2023 and we discuss these in more detail in a separate blog, “The 6 Key Ransomware Trends of 2023”.
Related Posts
BlackCat Ransomware: What It Is and How to Defend Against It
Learn how to protect your business from BlackCat ransomware with essential insights, ransomware prevention tips, and actionable defense strategies to mitigate risk.
The Cybersecurity Implications of Remote vs Office Work
Explore the cybersecurity challenges and benefits of remote work versus office environments. From network vulnerabilities to social engineering risks, learn how to secure your workforce, whether they’re working from home or the office.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
CDK Global Ransomware: What Happened and How It Impacted Businesses
Here you will learn about the CDK Global ransomware attack, the impact on auto dealerships, relevant recovery steps and general cybersecurity practices for businesses.
Ransomware Containment: Effective Strategies to Protect Your Business
Discover effective ransomware containment strategies for your business. This guide discusses network segmentation, zero trust, and practical best practices for IT managers and cybersecurity professionals to reduce ransomware damage.
Ransomware Meets Retail: Sainsbury’s, Starbucks and Morrisons Feel the Heat from Blue Yonder Attack
The Blue Yonder ransomware attack disrupted major retailers like Sainsbury’s, Starbucks, and Morrisons, highlighting the vulnerabilities of global supply chains and the urgent need for stronger cybersecurity defenses.