On Thursday, January 25, 2024, GuidePoint Security, an industry leader in cybersecurity solutions, launched the GuidePoint Research and Intelligence Teams (GRIT) 2023 Annual Ransomware Report. The report investigates global ransomware trends, including mass exploitation campaigns, encryption, data extortion and other novel coercive tactics, based on publicly available data.
From its analysis, GRIT reported an 80% increase in victim posting YoY and found that victim volume had almost doubled, with 4,519 victims across 30 industries and 120 countries. There were 63 unique ransomware groups using encryption, data exfiltration and additional coercive techniques. "Comparing 2023 to 2022 ransomware activity, we saw an 80% YoY increase of victim posting," Drew Schmitt, Practice Lead of GRIT, explained. He attributed the rise to multiple mass exploitation campaigns and an influx of new entrants in the ransomware ecosystem due to lowered technical barriers, including the recycling of leaked ransomware builders and commodity malware. He also revealed the role of established groups with resources and technical expertise in this growth, stating that "exploitation of high-severity and zero-day vulnerabilities provided a reliable means of exploiting victims at scale".
The report also discusses major ransomware events from the past year, such as Clops' MOVEit campaign, Scattered Spiders' attacks on casinos and published decryptors effecting the ransomware operations of BianLian and Akira. The industries most affected were Manufacturing and Technology, with respective victim percentages of 12.9% and 7.9%. The USA was five times more impacted than the next highest country, Germany (265 vs 48 victims). The US also accounted for 49% of all reported ransomware attacks in 2023, alongside being the most heavily impacted country. Out of the top ten most affected nations, eight were in North America and Europe, with Brazil and Australia being the only exceptions. These ten countries were home to 76% of all victim organisations, of which 27% impacted non-US states.
Analysing the ransomware groups, the report found established groups responsible for the majority (85%) of victims. Following were developing groups (10%). The most notorious established groups – LockBit, Alphv, and Clop – accounted for the majority of victims and were responsible for much innovation and strategic changes in the ransomware ecosystem. Ephemeral and Emerging groups, whilst not as advanced as their established counterparts, continued to pose significant threats to organisations worldwide, due to the unpredictable nature of their actors and the frequent recycling of malware.
Drew Schmitt commented, "Last year, ransomware continued to increase in terms of impact, sophistication, and the number of participating actors, indicating that the ransomware ecosystem has not yet reached a point of market saturation." He went on to add that GuidePoint predicts an upward continuation of ransomware impacts into 2024 and beyond, until financial conflicts arise between ransomware groups or the space becomes less attractive due to law enforcement and regulatory pressures.