Story of H1 2023: Statistical Insights into Ransomware Trends and Impact on Victims (English ver.)

Author: Kyunghee Kim, Jiho Kim and Huiseong Yang | S2W TALON

Last Modified : Aug 11, 2023

Photo by Алекс Арцибашев on Unsplash

Executive Summary

This report analyzes the activities of ransomware groups during the first half of 2023, spanning from January 1st to June 30th.

The analysis targets ransomware groups with Leak sites and the victim organizations uploaded on these Leak sites.

In H1 2023, 1,846 organizations were reported on Leak sites as having been infected with ransomware.

• Compared to H1 2022 (from January 1st to June 30th), there was an increase of 608 victimized companies.

A total of 46 ransomware groups were active during H1 2023, each attacking an average of approximately 40 organizations

There were 25 new or link-changed Leak sites during H1 2023, each attacking an average of about 13 organizations.

In H1 2023, ransomware groups targeted large enterprises at a rate of 9.1%, and the proportion of large corporate targets increased compared to the H1 2022.

The top 10 countries most affected by ransomware during H1 2023 were identified, with the United States being the most impacted.

• Countries in the Americas experienced a significant increase in ransomware incidents in H1 2023 compared to H1 2022, with the United States seeing the most significant rise.
• In contrast, countries in Europe and Asia saw a decrease in ransomware incidents in 2023 compared to 2022, with Italy experiencing the most significant reduction.

The top 10 industries affected by ransomware group during H1 2023 were identified, with manufacturing taking the hardest hit.

• Compared to H1 2022, industries such as manufacturing, healthcare, and education were ranked at the top in 2023, indicating an increase in attacks on industries vulnerable to security breaches.
• There were 43 confirmed ransomware incidents involving government agencies, showing an increase compared to H1 2022.

Through this report, we aim to provide transparent statistical analysis results, enhance understanding of recent ransomware group attacks, and contribute to the development of countermeasures and response strategies against ransomware groups.

Deep understanding and detailed issues regarding ransomware groups can refer to the “Story of the H1 2023: In-depth Examination of Notable Ransomware Groups and Key Issues”.

Statistics of victims attacked by ransomware group

1. Overall ransomware group activity in H1 2023

During H1 2023, we observed 1,846 organizations compromised by attacks from ransomware groups. This is an increase of 608 organizations from the 1,238 organizations impacted by ransomware attacks in H1 last year. Figure 1 shows that ransomware activity was more frequent in H1 2023 than in H1 2022 across all monthly segments from January through June, and the average number of organizations affected per month increased by approximately 101.

Figure 1. Monthly activity in 2023 compared to H1 2022

Based on our analysis of the ransomware groups operating the Leak site, we found a total of 46 active ransomware groups in H1 2023. They attacked an average of nearly 40 organizations. The top 10 most active ransomware groups accounted for 78.3% of all ransomware attacks in H1 2023, with specific breakdowns in Table 1 and Figure 2.

• The top 10 ransomware groups in terms of attack activity conducted attacks against an average of 145 organizations.
• Excluding the top 10 ransomware groups, the 36 ransomware groups conducted attacks against an average of about 11 organizations.
• The top 10 ransomware groups were nearly 13 times higher than the average attack volume of groups that did not make the top 10, indicating a large disparity in attack activity.

Figure 2. Graph of attack volume by active ransomware groups in 2023

Table 1. Top 10 Ransomware Group Attack Volume Table

2. Activity of new ransomware groups

In H1 2023, 25 new and link-changed Leak sites were identified. There were 22 newly discovered leak sites and 3 leak sites with changed onion addresses. Additionally, we identified one leak site that has ceased operations.

The 22 newly emerged ransomware groups in H1 2023 uploaded a total of 280 activities, with an average activity of about 13. This is 0.3 times lower than the average activity of all ransomware groups, which was 40.

In contrast, the Medusa, AKIRA, and 8Base ransomware groups have more than three times the average new ransomware activity of 13 and are among the top 10 new ransomware groups in 2023 by a wide margin.

• Medusa ransomware was the most active of the new ransomware families, with 70 attacks in H1 2023. The Leak site of the Medusa ransomware group, which was discovered in February 2023, is different from the Leak site of the MedusaLocker ransomware, which has been active since February 2021, and the ransomware used by the two groups is different.
• The AKIRA ransomware group, which carried out 54 attacks in H1 2023, was discovered in early April 2023 and provides a list of affected organizations and announcements on its leak site in the form of a command-based CLI.
• The 8Base ransomware group, which carried out 44 attacks in H1 2023, was first spotted with a leak site in late May 2023, and VX-Underground noted that the 8Base ransomware group will be a big player in the ransomware industry in a few months.

Figure 3. New ransomware group activity in H1 2023.

3. Targeted Victim Enterprises Size

We investigated and analyzed the size of companies attacked by ransomware groups. Companies were categorized based on their revenue, and we referenced the company classification criteria defined by Gartner based on revenue.

Figure 4. Gartner’s categorization of organizations based on revenue.

In H1 2023, 937 small organizations, 469 midsize organizations, and 140 big organizations were victimized by ransomware, while 300 organizations did not publicly disclose their revenue. As a result, among the affected companies whose size is known in the H1 2023 90.9% are small+middle-sized enterprises and 9.1% are large organizations.

In H1 2022, 468 small organizations, followed by 223 midsize organizations and 60 midsize organizations were victimized by ransomware, while 487 companies were identified that did not disclose their revenue. Therefore, 92.0% of the total number of affected companies whose size is known are small+middle -sized enterprises and 8.0% are large organizations.

Figure 5. Radar Chart categorizing companies by revenue (Left-2022, Right-2023)

Table 2 shows that the proportion of large organizations targeted is higher in the H1 2023 than in 2022. However, it should be noted that large enterprises, which possess the financial capability to pay the ransom and hold substantial amounts of crucial information, might have paid the ransom before their data was uploaded to leak sites. In such cases, the figures presented might differ, with the possibility that the proportion of large enterprises could be even higher than what is shown in Table 2.

Table 2. 2022 and 1H 2023 target company classification frequency table

Comparing the victimized organizations in H1 2022 and H1 2023, we found that the trend toward more small and midsize business targets may reflect the attack behavior of newer ransomware groups in H1 2023.

• Of the existing ransomware groups active since before H1 2023, LockBit includes 32 large organizations out of 508 total attacks, CLOP includes 43 large organizations out of 193 total attacks, and BlackCat includes 17 large organizations out of 204 total attacks.
• On the other hand, the new ransomware groups in H1 2023, Medusa, 8Base, and Rhysida, the new ransomware groups that emerged in the H1 2023, have a much lower percentage of attacks on large enterprises, with 2 attacks on large enterprises out of a total of 69 attacks. Additionally, 8Base, with 44 attacks, and Rhysida, with 18 attacks, have zero attacks on large enterprises. This confirms the trend of new ransomware groups targeting small and medium-sized businesses.

4. Targeted Victim Country

4.1. Top 10 Targeted Victim Countries

The top 10 ransomware victim countries account for 72.6% of all victim organization countries. The top 10 victim countries include four countries in Europe, three countries in the Americas, one country in Oceania, and one country in Asia, indicating that countries in Europe and the Americas are the most frequently targeted by ransomware. The top 10 countries were all ranked 1 through 14 in terms of GDP, meaning that many of the ransomware attacks in H1 2023 targeted countries with higher economic power.

Table 3. Top 10 Ransomware-Affected Countries

Figure 6. Top 10 Ransomware-Affected Countries Graph

4.2. Top 10 Countries with increased target count compared to H1 2022

The United States saw the largest increase in the number of ransomware victims in H1 2023 compared to H1 2022. Table 4 shows the top 10 other countries that saw an increase in ransomware victims.

• The United States, Canada, and the United Kingdom, the top three countries in terms of damage in H1 2023 in Table 3, are also the top three countries in terms of ransomware damage growth in Table 4.

Table 4. Top 10 Ransomware Reduction Countries

Figure 7. Graph of the top 10 countries with the most ransomware victims

4.3. Top 10 Countries with reduced target count compared to H1 2022

Italy was the country with the largest decrease in ransomware victims in H1 2023 compared to H1 2022. Table 5 shows the top 10 countries with the largest decrease in ransomware victims. The top 10 declining countries were six in Europe and four in Asia. Countries in Europe and Asia experiencing significant year-over-year declines in ransomware victimization. Italy, the country with the largest decrease in ransomware victims, added the following cybersecurity support items in 2023.

• (January 20, 2023) The Italian National Cybersecurity Agency (ACN) and Cisco Italy formalized a Memorandum of Understanding (MoU) which encompasses cooperative measures for the prevention of cyber attacks.
• (January 25, 2023) An MoU was instituted between ACN and CERTFin, representing the Computer Emergency Response Team dedicated to the Italian financial sector.
• (February 2, 2023) A joint collaboration platform was unveiled by ACN in association with Amazon Web Services. This initiative aims to promote a program designed for the dissemination of information related to cyber threats.

Table 5. Top 10 Countries with reduced ransomware attacks

Figure 8. Graph of TOP 10 countries with reduced ransomware attacks

5. Targeted Victim Industry

5.1. Top 10 Targeted Industries

The top 10 affected industries account for 73.7% of all affected industries, with the most affected industry being manufacturing, which accounts for 18.8% of all affected organizations. The following factors may be considered by ransomware groups in the manufacturing industry

• In the manufacturing industry, the damage caused by a ransomware attack can lead to significant downtime in the manufacturing process, resulting in production delays, supply chain disruptions, and significant financial losses. According to IBM Security, ransomware groups may perceive that manufacturing companies are more likely to pay for recovery quickly to minimize production disruption.
• Btgleagal also found that awareness of protective measures and security updates for systems and equipment utilized by the manufacturing industry is relatively low, which can lead to vulnerabilities that attackers can exploit to gain unauthorized access and distribute ransomware.

Ransomware groups tend to target industries with large revenues, as the top 10 affected industries include five of the top 10 industries with the largest revenues in 2023 according to IBIS.

Table 6. Top 10 Ransomware Affected Industries (Yellow: Top 10 Industries by Revenue)

5.2. Targeted governments in H1 2023

While the number of ransomware government attacks in H1 2022 was relatively low at 10, the number of victims increased by 33 in H1 2023, with a total of 43 attacks against government agencies. The impact of ransomware attacks on government agencies is significant, as they can cause prolonged downtime for councils and critical infrastructure services. On April 17, 2022, an examination of the Conti ransomware group’s attack on Costa Rica revealed risks beyond the immediate implications. Not only were citizens’ data exposed, but there was also a potential for the leak of confidential national documents, indicating a broader scope for the ramifications of the ransomware attack.

• According to an article published by Comparitech, the average government agencies’ ransomware damage exceeded $1M for the first time in 2022, raising the cost of ransomware recovery for government agencies, which is likely the purpose of most ransomware groups’ activities.

13 ransomware groups conducted ransomware activity against 43 government organizations in H1 2023, with LockBit ransomware leading the way with 18 government targets.

• The 13 ransomware groups above rank in the top 25 of overall ransomware activity and have the commonality of having at least nine ransomware attacks in 2023.

Government compromises were observed for five of the top 10 affected countries in 2023: the United States, Australia, Italy, India, and France. The United States, being the most frequently affected country that year, recorded the highest number of government agency breaches with 17 cases. Conversely, 18 other countries, not included in the 2023 Top 10 most affected nations, were also observed for compromises.

• Among the countries that experienced breaches in their government agencies, the five that were included in the top 10 most affected nations in 2023 are ranked from 1st to 13th in the global GDP. In contrast, the other 18 countries fall between the 14th and 81st ranks in GDP, belonging to nations with relatively lower economic standings.
• As per Section 4.1, while ransomware attacks generally target countries with a higher GDP, attacks targeting government agencies were also observed in nations with a lower GDP ranking.

Table 7. Top 10 Countries Affected by Ransomware Government Agencies

5.3. Additional Trends from the Perspective of Targeted Industries

Of the top 10 industries that saw an increase in victimization over the past year, manufacturing saw the largest increase, followed by healthcare and education. The increase in attacks on the sectors indicates that ransomware groups are increasingly targeting these vulnerable industries. Furthermore, even if they do not receive the ransom money after conducting an attack on these industries, they can still generate additional revenue by selling the stolen data.

Table 8. Top 10 Industries with Increased Ransomware Damage in 2023 vs. 2022

We also saw some unusual cases targeted by existing and new ransomware groups.

• Existing ransomware group case 1: LockBit posts guidelines on its official leak site, prohibiting attacks on social supply chains and major medical facilities. The group sets its own ethical standards, selectively choosing its ransom targets based on these posted criteria.

Figure 9. Excerpt from the original LockBit ransomware official site announcement.

• Existing ransomware group case 2: LockBit successfully launched a ransomware attack on SickKids, a hospital in Canada that provides medical services to children. They managed to encrypt the hospital’s system. However, recognizing the delays they caused in medical diagnoses and treatments, they issued an apology for the attack on the hospital and provided a decryption tool for free.

Figure 10. Original LockBit ransomware attack apology (Source: BleepingComputer)

• New ransomware group case: Rhysida targeted the website of Hollywood Forever, a funeral service located in the United States. This instance demonstrates a lack of alertness or ethical remorse concerning their choice of attack targets.

Figure 11. New Rhysida ransomware attack example

In contrast to existing ransomware groups that have their criteria for selecting targets for ransomware attacks, the new ransomware group does not appear to have any ethical criteria for selecting targets, such as attacking cemetery management sites, and appears to be solely driven by money. This is likely a strategy to secure revenue and not compete with the large established ransomware groups.

Conclusion

• Ransomware attacks continue to be active in 2023, with more than 20 new ransomware groups emerging in H1 2023 compared to H1 last year.
• The United States not only had the highest number of ransomware victims in 2023 but also witnessed the most significant increase in cases compared to 2022.
• Italy experienced the most substantial decrease in ransomware attacks, declining may be attributed to the cyber-security measures introduced in the country during 2023.
• Victimization analysis identified target-specific characteristics between new and existing ransomware groups, including a higher proportion of new ransomware groups targeting small and medium-sized enterprises than old ransomware groups, no identified criteria for target selection, and a tendency to conduct indiscriminate attacks.

— It is surmised that these new ransomware groups focus on companies where there’s a higher likelihood of a successful attack, primarily aiming to extract ransom payments.

• There’s also been a surge in ransomware activities targeting governmental bodies, such groups that attacked government entities have all conducted ransomware activities nine times or more in this H1, suggesting they are groups with a significant amount of experience.
• Ransomware attacks continue to proliferate and evolve, posing a severe threat to both corporations and individuals.
• Businesses must recognize the importance of bolstering security and the necessity of backup systems. There’s an imperative need for close collaboration between the cybersecurity industry and companies, along with the proactive adoption of countermeasures.

P.S. Thanks to the Data · Infra and Knowledge Engineering teams for their assistance with data collection and processing for this report.

• Homepage: https://s2w.inc
• Facebook: https://www.facebook.com/S2WLAB
• Twitter: https://twitter.com/S2W_Official