Ransomware trends, statistics and facts in 2023
Supply chain attacks, double extortion and RaaS were just a few of the ransomware trends that plagued 2022 and will continue to disrupt businesses in 2023.
2022 was a breakout year for ransomware as the cybersecurity attack vector wreaked havoc on individuals and organizations around the world. It's a trend that is likely to continue in 2023 and beyond.
While ransomware is not a new cybersecurity risk, it is a threat that received attention at the highest levels of government. Ransomware has affected people's ability to get healthcare, put gas in their vehicles and buy groceries.
The financial effects of ransomware also became particularly pronounced in recent years. Attacks hit supply chains, causing more widespread damage than an attack against a single individual. There has also been an increased response from government and technology vendors to help stem the tide of ransomware attacks.
Ransomware trends in 2021 and 2022
A few key ransomware trends emerged over the course of 2021 and 2022 and will likely continue into 2023. Attackers realized that certain techniques yield better results and focused on those approaches. Here are some of the primary trends for ransomware in recent years:
- Supply chain attacks. Instead of attacking a single victim, supply chain attacks extend the blast radius. A prime example of a ransomware attack is the 2021 Kaseya attack, which affected at least 1,500 of its managed service provider customers.
- Double extortion. In the past, ransomware was about attackers encrypting information found on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. There, it can be used for other purposes, including leaking the information to a public website if a payment is not received.
- Ransomware as a service (RaaS). Gone are the days when every attacker had to write their own ransomware code and run a unique set of activities. RaaS is pay-for-use malware. It enables attackers to use a platform that provides the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.
- Attacking unpatched systems. This was not a new trend for 2022, but it is one that continues to be an issue. While there are ransomware attacks that make use of novel zero-day vulnerabilities, most continue to abuse known vulnerabilities on unpatched systems.
- Phishing. While ransomware attacks can infect organizations in different ways, in 2022 some form of phishing email was more often than not a root cause.
Ransomware statistics for 2021 and 2022
The statistics listed below provide insight into the breadth and growing scale of ransomware threats:
- According to the 2022 "Verizon Data Breach Investigations Report," ransomware attacks surged dramatically in 2022; ransomware was involved in 25% of all breaches.
- Ransomware affected 66% of organizations in 2021, an increase of 78% over 2020, according to Sophos's "The State of Ransomware 2022" report.
- The FBI's Internet Crime Complaint Center received 3,729 complaints about ransomware attacks in 2021. Those attacks accounted for financial losses of $49.2 million.
- The Cybersecurity and Infrastructure Security Agency reported in February 2022 that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.
- Since 2020, there have been more than 130 different ransomware strains detected, according to VirusTotal's "Ransomware in a Global Context" report:
- The GandCrab ransomware family was the most prevalent, comprising 78.5% of all samples received.
- Ninety-five percent of all the ransomware samples were Windows-based executable files or dynamic link libraries.
Ransomware statistics by industry
Ransomware can hit any individual or industry, and all verticals are at risk. That said, ransomware attacks have affected some verticals more than others in 2022 and will continue to be an issue for years to come. Here are the top ransomware targets by industry, according to the Digital Shadows Q3 2022 update:
- industrial goods and services
- construction and materials
- travel and leisure
- legal services
- food and beverage
Costs of ransomware attacks and payment trends
The costs attributed to ransomware incidents vary significantly, depending on the reporting source. Different points of view from both the private and public sector provide some visibility into the cost and payment trends for ransomware attacks:
- According to the 2022 Verizon report, 60% of ransomware incidents did not result in any loss. While not every ransomware victim pays a ransom or incurs a cost, some do.
- In its "Cost of a Data Breach 2022" report, IBM revealed an average ransom payment of $812,360. The actual ransom payment, however, is only part of the total cost of a ransomware attack, which IBM pegs at $4.5 million on average. IBM also noted that it takes an average of 49 days longer than other types of attacks for organization to identify and remediate ransomware breaches.
- Of all cyber insurance claims, 34% were ransomware-related in the first half of 2022, according to the "Corvus Risk Insights Index." The average ransom paid out by the insurer during the same time period was $255,000.
- 2021 saw $1.2 billion in Bank Secrecy Act filings for ransomware-related incidents, according to the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) analysis. For all of 2020, FinCEN only reported $416 million in ransomware-related costs.
- FinCEN also reported that Russia-related ransomware variants were implicated in approximately 75% of ransomware-related incidents in the second half of 2021.
Recent ransomware attacks
There have been many ransomware attacks in recent years affecting organizations and their customers. Here are some notable ransomware attacks in 2021 and early 2022:
- Acer. In March 2021, global IT hardware vendor Acer was the victim of a ransomware attack executed by the REvil ransomware group.
- CNA Financial. Also in March 2021, cyber insurance carrier CNA Financial disclosed that it was the victim of a cyber attack. The attack was allegedly executed by a group known as Phoenix CryptoLocker.
- Colonial Pipeline. In May 2021, Colonial Pipeline was the victim of a ransomware attack that affected the flow of oil across the eastern U.S.
- JBS USA. In June 2021, a ransomware attack hit meat-processing vendor JBS USA and reduced the company's ability to package meat products. The company reportedly paid $11 million in ransom to criminals that were using the REvil ransomware.
- Kaseya. In July 2021, remote management software vendor Kaseya was the victim of a supply chain ransomware attack. The criminals allegedly used the REvil ransomware platform.
- Sinclair Broadcast Group. In October 2021, Sinclair Broadcast Group was the victim of a ransomware attack that crippled the network's broadcast operations.
- Public services. In early 2022, schools, health services and local U.S. municipal governments were hit by ransomware attacks in the following locations:
- Pembroke Pines, Fla., on Jan. 13, 2022;
- Linn County, Ore., on Jan. 24, 2022; and
- New Bedford, Mass., on Jan. 27, 2022.
- The education sector. There was a spate of ransomware attacks against the education sector in November 2022, with at least 24 confirmed and disclosed incidents.
For a complete list of publicly disclosed ransomware incidents that occurred in 2022, TechTarget Editorial has compiled a comprehensive U.S. ransomware attacks database.
Ransomware didn't start recently, and it won't end anytime soon either. Ransomware will likely continue to evolve in a few different ways. Here are some predictions on the direction that ransomware will take in the years ahead:
- Governments will be more involved. In its list of top cybersecurity predictions for 2022-23, Gartner predicts that nation-states are likely to enact legislation about ransomware payments. In 2021, Gartner estimated that less than 1% of global governments have rules around ransomware, but forecasts that figure will grow to 30% by 2025.
- Beware of cloud-aware ransomware. Security vendor Trend Micro predicts there will be more data extortion in 2023, with new attacks involving cloud-aware ransomware as organizations increasingly move their most critical data assets to the cloud.
- Rise of intermittent encryption. In August 2021, security vendor Sophos first detected a new approach inside ransomware known as intermittent encryption. Intermittent encryption only encrypts parts of files, making them appear as corrupted data. The approach can bypass many forms of current ransomware protection and detection.
How to protect against ransomware attacks
Organizations and individuals can take steps to mitigate ransomware attacks. But there is no silver bullet that will solve or defend against ransomware. What's needed is a multilayered approach to improve IT security overall. There are six key steps to safeguard assets against ransomware risks:
- Maintain a defense-in-depth security program. Ransomware is just one of many risks that IT users face. Having multiple layers of defense is a key best practice.
- Consider advanced protection technologies. The use of extended detection and response can help organizations identify potential risks that could lead to ransomware exploitation.
- Educate employees about the risks of social engineering. More often than not, it's users clicking on something that they shouldn't that leads to infection. Education and vigilance are important.
- Patch regularly. Ransomware code often targets known vulnerabilities. By keeping software and firmware updated, a possible attack vector can be eliminated.
- Frequently back up critical data. Ransomware's target is data. By having reliable backups, the risk of losing data can be minimized.
- Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the right process is in place to mitigate and recover from a potential attack.
3 ransomware distribution methods popular with attackers
4 types of ransomware and a timeline of attack examples
Top 3 ransomware attack vectors and how to avoid them