Annual GRIT Ransomware Report – 2023

With the conclusion of 2023, the GuidePoint Research and Intelligence Team (GRIT) has compiled our second annual report on ransomware activity over the last year. What follows is a brief summary of the report’s contents; for full details and analysis, you can find the complete 2023 Annual GRIT Ransomware Report here.

In last year’s Annual Ransomware Report, GRIT identified ransomware as “the most prolific and impactful threat to our networks, data, and operational capabilities,” with more than 2,500 publicly posted victims observed in 2022. While we predicted a continuing steady increase in ransomware activity, 2023 outpaced our expectations, with year-over-year victim volume nearly doubling, driven in part by multiple mass exploitation campaigns impacting hundreds of organizations. In total, we observed 63 distinct ransomware groups leverage encryption, data exfiltration, data extortion, and other novel tactics to compromise and publicly post 4,519 victims across all 30 of GRIT’s tracked industries, and in 120 countries.

Relative to the remainder of the year, Ransomware’s operational tempo in 2023 began slowly, with a progressive increase in victim postings building up to a record high of 1,353 victim posts in Q3, followed by a comparatively mild 1,170 victim posts in Q4. As Q4’s drop-off does not appear to correlate with any significant changes in the ransomware ecosystem, results from January 2024 may yet show whether victim volume will decrease, remain constant, or return to form by increasing in the new year. 

Key Highlights

The United States was by far the most impacted country in 2023. Among posted victims, 2,199 were US-based organizations, accounting for 49% of all observed ransomware attacks in 2023. Eight out of the ten most impacted countries were within North America and Europe, with Brazil and Australia as the sole outliers. The same “top ten” most impacted countries were home to 76% of all observed victim organizations, of which 27% impacted non-US countries.

From an industry perspective, GRIT observed most impacts affecting a limited subset of industries. 62% of all observed victims belong to one of the “top ten” most-impacted industries, with Manufacturing and Technology remaining the two most-impacted industries; Manufacturing and Technology represented 12.9% and 7.9% of all victims, respectively. 

In line with GRIT’s taxonomy for classifying ransomware groups, long-term Established groups accounted for the overwhelming majority of observed victims (85%), followed by Developing groups (10%). Ephemeral and Emerging groups, as the newest and shortest-term entrants, lagged behind their maturing counterparts but still posed a significant threat to worldwide organizations, exacerbated by less “reliable” actors and frequently recycled malware. We note that for 2023, we have attributed only one Rebrand group in Black Suit, stemming from the now inactive Established group, Royal. Conversely, we have not definitively attributed any Splinter groups in 2023, though groups that we currently classify as Emerging or Ephemeral may, in time, show indications of having Splintered from other organizations.

Tactically, 2023 presented repeated opportunities for new entrants in the ransomware ecosystem. This was achieved either through reduced technical barriers such as the recycling of leaked ransomware builders and commodity malware, or the recycling of previously leaked data for re-extortion and claims of attacks that never were. For those established groups with resources and technical expertise, exploitation of high-severity and zero-day vulnerabilities provided a reliable means of exploiting victims at scale, a trend we assess as likely to continue into 2024 as a means of overcoming improvements in security.Law enforcement disruptions and rumors thereof circulated the ransomware community in 2023, culminating in a highly publicized takedown of Alphv’s dark web leak site. Regrettably, Alphv chose not to go down without a fight, and its continued presence and operations highlight the resiliency of Ransomware’s most entrenched groups. Targeting of victims previously considered “off limits,” such as schools and hospitals, is expected to continue, as are attempts to attract additional attention to high-impact ransomware attacks. This brinksmanship, which aligns with several of the novel coercive techniques we observed in 2023, will likely attract the attention of both law enforcement and potential affiliates over time.

To read the full report, including a detailed evaluation of 2023’s trends, threat actor activity analysis, and analysis of the major events of 2023 and how they’ll impact the next year, download the full report here.