Fraud Management & Cybercrime , Ransomware
Ransomware: 2023 Victim Count Appears to Reach Record Levels
Healthcare, School District and University Victim Counts Increase, Research ReportsThe number of known ransomware victims continues to increase.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
Comparing 2022 to 2023, the total number of confirmed, successful attacks in the U.S. jumped from 220 to 321, found a new report from security firm Emsisoft.
In that time frame, the count of known U.S. organizations that fell victim to ransomware increased by 60% for hospital systems, 82% for K-12 school districts and 48% for post-secondary schools. Only the number of known government victims decreased, by 11%, according to Emsisoft.
The attacks disrupted a wide range of facilities. The 46 hospital groups attacked in 2023 collectively comprised 141 hospitals, while the 48 school district victims collectively included 1,899 schools.
The total count doesn't include the massive campaign against users of MOVEit secure file-transfer software in May, in which the Clop ransomware group used a since patched vulnerability to steal data, while encrypting no systems. By Emsisoft's count, the attacks directly or indirectly affected over 2,700 organizations and led to personal information for 93 million individuals being exposed.
Not counting the MOVEit campaign, the numbers still suggest the damage being caused by ransomware is worsening, given the attendant disruption victims face. The full extent of the problem continues to be unknown, in part because not all victims publicly disclose attacks, while ransomware groups that run victim-shaming and data-leaking blogs only list a subset of nonpaying victims.
Even when victims do publicly acknowledge getting hit, many will "use obfuscatory language - for example, referring to incidents as 'encryption events' rather than 'ransomware attacks,'" which complicates attempts to track this type of crime, Emsisoft's report says.
Who Pays?
The total number of victims who pay a ransom also isn't clear, although some firms that assist victims do publish aggregated data.
For Q3 of last year, ransomware incident response firm Coveware, based on the thousands of cases it helped investigate, reported that 41% of victims paid, up slightly from 34% in Q2. The firm described this change as a "normal swing" rather than the start of an ominous trend.
So too for the portion of victims who paid a ransom only for a promise from attackers to not leak exfiltrated data - versus paying at least in part for a decryptor - which last year jumped from 29% in Q2 to 40% in Q3, the firm said.
When a victim did pay, the average payment in Q3 was $850,700, Coveware reported, while the median payment was $200,000, both of which were a slight increase from Q2. "We don't ascribe any noteworthy observation to this increase beyond a normal rotation of common variants towards ones that tend to impact larger organizations with larger initial demands," it said.
The firm also cautioned - not for the first time - against paying a ransom in return for a promise from attackers to not leak stolen data. Security experts say there is no evidence that such payments have ever led to a group deleting stolen data, and such a strategy has no proven legal upside (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
"We have not seen any precedent that paying a ransom mitigates the risk of a class action lawsuit or the ultimate outcome of the lawsuit," Coveware said.
Target: Cybercrime
The apparent increase in the number of ransomware victims last year comes despite Western governments channeling more resources into battling the illicit business model. Many are working more closely together to combat cybercrime and to bolster their domestic organizations' business resilience to better repel all types of online attacks. Law enforcement is also increasingly focused on disrupting groups' operations, even if many of the players remain largely beyond their reach, operating from countries such as Russia.
Last year, international law enforcement operations notched multiple major ransomware disruptions, including shuttering Hive in January and in December, disrupting BlackCat - aka Alphv - which spun off from the Russian-speaking Conti group in 2022.
The strategy of disrupting ransomware groups likely pays off in the long run, not least from fostering a sense of fatigue, said Yelisey Bohuslavskiy, chief research officer at New York-based threat intelligence firm Red Sense.
"Top-tier ransomware groups have an interesting flaw: They change radically, operationally, logistically, structurally and strategically, but they draw from the same small pool of individuals - 200 or maybe 300 actors are essentially the backbone of all of today's ransomware APTs."
Repeated disruptions of these groups' blog sites, where they list victims, can add friction to their cybercrime endeavors and decrease the returns from their "pen testing" - aka hacking into victims' networks - endeavors.
"People get tired. They get exhausted psychologically and physically," Bohuslavskiy said. "Pen testing is both tedious and sporadic and usually claims about one win per five to 10 losses. If your group suffers a major hit and needs to rebuild, this causes internal conflicts and chaos. This may be enough to convince people to quit for good."
Even so, a huge amount of funds continues to flow to criminals, leading some cybersecurity experts to call for an international ban on ransom payments. "I've resisted the idea of blanket bans on ransom payments for years, but I think that has to change," Allan Liska, a threat intelligence analyst at Recorded Future, told Emsisoft for its report.
"Ransomware is getting worse, not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them," Liska said. "What we are doing simply isn't working."
Critics of ransom bans say that for some victims, paying a ransom might be the only thing standing between them and bankruptcy. Also, whether or not such bans might work - or if victims would simply pay them in secret - remains unclear.
What a Ransom Buys - Or Doesn't
Ciaran Martin, the former head of Britain's National Cyber Security Center and now a professor of practice at Oxford University's Blavatnik School of Government, said more needs to be done to emphasize to victims that paying a ransom isn't their only option.
"We have normalized ransom payments, big and small," Martin told the Economist.
The reality is that when criminals do provide a decryptor, they do not always recover 100% of data, experts say. Rebuilding systems and restoring data - even from backups - also typically remains a lengthy process. Coveware said that "trying to move too fast often results in making matters worse."
What does facilitate faster recovery, Coveware said, is establishing a ransomware incident response plan and regularly practicing it via live tabletop exercises. "It turns out that when you practice your IR response, communications and decision-making, you get better at it."