2023 Ransomware Attack Report

BlackFog has been recording publicly disclosed ransomware attacks since 2020, and in 2023 we also began recording the number of undisclosed attacks, those that are listed on the data leak sites and dark web by the attackers. The 2023 ransomware attack report summarizes the key findings from 2023 compared to previous years.

2023 was a watershed moment for ransomware, one that saw records broken in 11 of the 12 months over the previous years since 2020. In fact, 2023 saw a massive 68% in the number of attacks over 2022 (our previous record), with a total of 630 ransomware attacks.

We note that it only took the first 9 months of the year for 2023 to eclipse the entirety of attacks of 2022. The largest month on record was November with a total of 89 attacks followed by December and September, both with 70.

Most notable during 2023 was the continued increase in the level of data exfiltration, which finished the year at 91%. Virtually all attacks and variants do not focus on encryption at all. Extortion is the key goal of virtually all attacks and is ultimately the key leverage used against victims. Some gangs are even utilizing new regulations from the SEC to report the attack themselves and force the victims to pay.

While we have no comparison for undisclosed attacks from 2022, we witnessed a bit of a roller coaster ride when calculating the ratio of unreported to reported attacks last year. We saw this finally settle at 5 times the number of reported attacks, significantly down from 14 times in the first quarter of the year. We attribute this to a number of regulatory changes that are forcing public companies to disclose attacks. There is also some realization that trying to hide an attack can cause more damage than it’s worth from a reputational and liability perspective.

The USA, UK, Canada, and Australia were the top 4 targets of 2023 with 55%, 8%, 4% and 3% respectively for a total of 70% of all publicly disclosed attacks. This was 7% higher overall than the top 4 in 2022, but most notably there was a 9% increase in attacks on the USA. The other countries showed no significant changes from 2022.

For the first time ever, more than 1 in every 2 victims were in the USA. This year we also saw data exfiltration to China increase to 29% (2% increase) of all attacks, followed by Russia with 9% (8% decrease). The impact of sanctions and several high-profile takedowns by coordinated governments helped decrease the number and extent of Russian gangs through 2023. The void is being increasingly filled by China which saw large gains last year.

In 2023 we saw the healthcare sector dominate the number of attacks with a massive 138% increase over 2022, representing 21% of all attacks. This was followed by education and government with 70% and 57% increases respectively from 2022, rounding out the top 3 sectors. This was followed by the manufacturing and technology sectors with 76% and 46% increases respectively from 2022.

We also saw a large decrease in the size of targeted organizations with an average of 6,918 employees, a 285% decrease from 2022. This highlights a general trend we saw in 2023 with the increased targeting of small to medium size organizations.

The top ransomware variants of 2023 were LockBit (19.2%), BlackCat (18.4%), Medusa (5.5%) and Play (4.6%). Notably, LockBit and BlackCat now represent 38% of all attack variants and were up 3.5% and 5.4% respectively over 2022. This increase in both is particularly significant when we consider the overall volume of attacks, representing increases of 149% for LockBit and 186% for BlackCat over 2022.

We also witnessed several trends throughout 2023 and we discuss these in more detail in a separate blog, “The 6 Key Ransomware Trends of 2023”.