May 17, 2023 By Mark Stone 4 min read

While examining the state of ransomware in 2023, the statistics show promise — at least on the surface. According to the IBM X-Force Threat Intelligence Index 2023, “Ransomware’s share of incidents declined from 21% in 2021 to 17% in 2022.”

Also promising: ransomware groups had a shaky 2022. The Trickbot group, for example, faced significant challenges — including internal leaks and increased government attention, resulting in the shutdown of their Conti ransomware operation and the retirement of two prominent malware families. LockBit ransomware then emerged as the leading variant in the market, accounting for 17% of all observed cases last year.

While these declines are minimal, it’s a step in the right direction.

But how do we know if fewer people are reporting ransomware attacks? It’s understandable to question whether the decline in incidents may be due to a reduction in reporting.

Is there cause for optimism?

Brett Callow, renowned ransomware expert and threat analyst for Emsisoft, agrees that recent threat group disruptions may decrease the number of incidents. “Unfortunately,” he said, “that dip will only be temporary as the individuals involved with the operations start new ones or partner with other operations. However, the disruptions do have significant value in terms of swinging the needle of the risk-reward ratio more towards ‘risk’ and ‘intel gathering.’”

Callow equates countering ransomware to a game of whack-a-mole. But with more intel, he said, law enforcement can whack the moles faster.

Alex Dow, chief innovation officer for Mirai Security, attributes the decrease in ransomware statistics to several factors — including the war in Ukraine and improved EDR solutions. Dow, who has over 20 years of Security Operations Architecture and Incident Response experience, notes that many ransomware gangs are located in Russia and Ukraine.

“With the conflict raging and sanctions implemented, operating ransomware operations may be more difficult,” he said. “Beyond the obvious kinetic destruction and displacement of people, two other angles to consider: moving money around under sanctions has become impossible,  but more interesting is the potential that the talent is moving to support the war efforts on either side.”

Dow also notes that endpoint detection and response solutions are getting better at catching and stopping ransomware behaviors. “This greatly reduces the efficacy of ransomware attacks and the catastrophic outcomes,” he said. “The more companies that invest in defensive capabilities, the less effective ransomware attacks will become.”

The role of information sharing in incident response

Another crucial defense mechanism in any threat prevention strategy is information sharing.

According to Callow, information sharing is better than it once was, but there is still room for considerable improvement. “It’s critical that we get those improvements,” he said. As somebody once said, ‘Information is power and, in cybersecurity, it’s the power to prevent other similar events.’”

Dow, on the other hand, collaborates with several ISACS and works closely with the Mining and Metals ISAC. “Cyber criminals are moving away from spraying and praying and focusing on sectors that cannot afford to be impacted by ransomware,” he said. “Mining, along with most industrial sectors, cannot afford an interruption to operations, and that is exactly what ransomware does. Many of the industrial sectors lack a defensible IT, let alone OT architecture, and are thus vulnerable to material interruptions to operations. In the heavy industry space, operational interruptions are generally measured in millions of dollars per hour in loss. Attackers know this and are adjusting their sights to the most likely to pay.”

Thus, ISACs can and should play a critical role in helping industries fight ransomware.

Making sense of the statistics

In Callow’s experience, while it’s unclear whether the number of incidents has decreased, it appears that the number of ransoms being paid has decreased. “This is likely because organizations are getting better at protecting their backups and because OFAC (Office of Foreign Access Control) sanctions make payment riskier. I think we’ll see this downward trend continue in 2023,” he said.

Callow is optimistic about the downward trend. However, he also worries that groups could adopt more extreme tactics in an attempt to improve their conversion rates. “In particular, I think we’ll see groups try to make more use of exfiltrated data in order to weaponize customers and business partners,” he said.

Dow, who has spearheaded numerous ransomware remediation and incident response campaigns, said that the trends are moving towards targeting businesses and sectors that can’t afford to be impacted, have substantial tech debt and are likely to pay to alleviate the pain.

“This is not to say it’s only Fortune 500 companies,” Dow said. “There is certainly a plethora of small and medium enterprises that have and will be impacted.”

Is reporting actually down?

Neither expert can draw a correlation between lower ransomware numbers and a decrease in reporting. However, Callow reminds us that the FBI recently stated that only about 20% of ransomware incidents are reported. “We need to find ways to up that number,” he said. “If policymakers can’t see the impact of their policies, how do they know whether they’re working? At the moment, we don’t know whether attacks are on the rise or on the decline. That needs to change.”

While it’s possible the decline in ransomware incidents is due to a reduction in reporting, we must consider the possibility of improved cybersecurity measures, increased threat awareness or changes in the TTP (tactics, techniques and procedures) used by cyber criminals. In many cases, organizations may simply be better at preventing and detecting these incidents.

Ultimately, without enough context, it’s difficult to interpret these statistics and make any definitive observations. Either way, it is a positive sign whenever ransomware incidents decline — regardless of the reason. While some organizations continue to struggle, we can take solace in knowing that many others are taking steps to protect themselves.

More from Risk Management

CISA’s cyber incident reporting portal: Progress and future plans

3 min read - On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.Shortly after the announcement, Security Intelligence reported on how the portal was designed and…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today