2023 Ransomware Statistics
The first quarter of 2023 was the best quarter we’ve seen for the ransomware industry in a long time, even exceeding Q1 2022. With 831 victims, Q1 2023’s victim count was much higher than the first quarter of 2022, with just 763 victims.
Unsurprisingly, LockBit3.0 remained the number one group claiming an average of around 23 victims per week and almost 33% of all ransomware cases this quarter.
The groups that came in second and third places were Clop Ransomware and ALPHV/BlackCat ransomware, with 104 and 81 victims, respectively.
In addition, we saw some notable events, such as LockBit’s Royal Mail incident, the shutdown of Hive Ransomware and the ESXiArgs campaign with thousands of infected machines.
Q1 2023 Ransomware Trends & Statistics
Top Ransomware Groups 2023
As mentioned, LockBit3.0, ALPHV and Royal are currently leading the industry; LockBit has the most victims (Figure 1).
Top 10 Ransomware Targeted Countries
When it comes to the top 10 ransomware targeted countries, the US remains the number one targeted country with the UK and Canada falling behind (Figure 2).
Top Ransomware Targeted Sectors 2023
Analyzing the victims by sectors, we can see that the manufacturing sector is the top targeted sector this quarter, along with the services and construction sectors (Figure 3).
Q1 2023 Notable Ransomware Trends, Events and Developments
During this quarter, we encountered several interesting ransomware cases.
Hive Ransomware Shutdown
At the beginning of February, the U.S. Department of Justice celebrated a major victory in the fight against ransomware by dismantling and confiscating the infrastructure of Hive ransomware (Figure 4), which was one of the most persistent groups in the ransomware industry and was ranked in the top 10 ransomware groups in 2022.
Hive ransomware emerged in mid-2021 and has reportedly targeted and held ransom about 1,500 victims.
At a press conference led by FBI Director Christopher Wray, it was revealed that the FBI had taken control of servers in Los Angeles, which contained important Hive ransomware gang data. The operation was the culmination of several months of investigation, beginning with the FBI’s infiltration of Hive ransomware’s network in July 2022. By gaining access to the network, the FBI obtained the decryption keys for the ransomware and provided them to 1,300 current and former Hive targets.
While many celebrated the takedown, some doubt it will have any real effect on the ransomware industry in general. Currently, there has been no actual change and none of the other veteran groups went off-grid because of this incident.
Royal Mail Ransomware Attack
In early January, the UK’s Royal Mail was compromised by a ransomware attack. At first, it seemed that it was a new module of LockBit named Lockbit Black.
However, when contacting the LockBitSupp, they claimed that this was in fact their module, but they are not aware of any campaign targeting the UK’s Royal Mail.
This claim raised many speculations regarding copycats or new groups that emerged due to a leak LockBit had in September 2022.
Several days later, LockBit3.0 made another announcement saying that they had found the affiliate that was responsible for the attack and they reclaimed responsibility for the case, saying, “We have too much activity going on these days and it’s hard to keep track of everything”.
During negotiations for this case, LockBit demanded a £65 million ransom, which was rejected by the Royal Mail.
While observing LockBit’s negotiation chats, the group said that these are hard times for the ransomware industry as they are impacted by less profitable campaigns.
Over the weekend, a relatively new ransomware group named Nevada Ransomware initiated its first massive campaign, targeting any ESXi machine that is exposed to the internet. The group seemed to compromise hundreds of servers over the weekend and caused major damage. Although the scale of this campaign is one of the biggest we have seen, it might already have a solution.
As mentioned, the group includes only Russian and Chinese speakers. As a result, the group’s encryption module does not target Russia, Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey and Iran.
Over the weekend, the group targeted any front facing ESXi machine that could find and exploited multiple related vulnerabilities. A significant proportion of the victim count is focused on France.
The group encrypts the configuration files of the ESXi systems instead of encrypting the vmdk disks themselves.
Then, a ransomware note is left for the victim with contact information for negotiations.
Clop Ransomware On The Rise
Clop Ransomware is a veteran ransomware group that emerged in February 2019 and targeted most industries worldwide, including retail, manufacturing, energy and finance.
Over the last three weeks of Q1, Clop’s victim count was much higher than the average numbers we are used to seeing from this group. It seems that Clop was able to claim an massive number of victims worldwide and was even able to surpass the current ruler of the ransomware industry, LockBit3.0.
The Cyberint research team has covered this anomaly in this blog post “Is Clop the New Ransomware to Watch?”, which is recommended reading.
Q1 2023 Ransomware Newcomers
During Q1, Cyberint’s research team found 167 new ransomware families. While this number seems very high, not all of them will become major actors in the ransomware industry, and some of them target individuals and not organizations.
Those that the Cyberint research team found more interesting this quarter than the others are Medusa ransomware and Nevada ransomware.
Medusa ransomware has become a solid member in the ransomware industry in 2023, targeting corporate victims worldwide with high ransom demands.
The Medusa operation started in June 2021 but with relatively low activity, and few victims. However, in 2023 this ransomware gang increased its activity and launched its own unique ‘Medusa Blog’ and like the classic double-extortion model, threatened to leak the files if the ransom isn’t paid.
One of the cases that made Medusa ransomware fairly popular in the mainstream was the video they published of themselves showing the stolen data of one of their campaigns, targeting the Minneapolis Publish Schools (MPS).
Throughout this quarter, Medusa was able to compromise 20 victims as their activity started in mid-February.
The Nevada group was first introduced to the cybercrime industry on December 10, 2021, when they published an announcement to recruit new members to their Ransomware-as-a-Service plan.
The group works with only Russian and Chinese-speaking individuals.
Their encryption module is built in Rust and is currently still under development, as the group claims it will target Windows and Linux machines in addition to ESXi.
As the group is still very new, there is a chance that this incident was merely an initial experiment for their products and an opportunity to get some free PR, given that any threat actor in the cybercrime industry knows their name.
This campaign claimed around 3,200 victims in the first week. It taught us a lot about the awareness companies have of version control. One of the vulnerabilities that was exploited was a two-year-old vulnerability, where the patch has been available for around the same amount of time.
2023 Ransomware Trending Up
The ransomware industry is on the rise once again. Clop delivered explosive numbers towards the end of the quarter, Royal became more firmly established and LockBit3.0’s stayed consistent. This led to the ransomware industry claiming a greater number of victims than any quarter in the past year.
When considering the fact that Hive ransomware operators might make a comeback in the next 2-3 months with a rebrand, we do see a shift in favor of the ransomware industry as the once new groups, are now a persistent threat in our landscape.