May 17, 2023 By Mark Stone 4 min read

While examining the state of ransomware in 2023, the statistics show promise — at least on the surface. According to the IBM X-Force Threat Intelligence Index 2023, “Ransomware’s share of incidents declined from 21% in 2021 to 17% in 2022.”

Also promising: ransomware groups had a shaky 2022. The Trickbot group, for example, faced significant challenges — including internal leaks and increased government attention, resulting in the shutdown of their Conti ransomware operation and the retirement of two prominent malware families. LockBit ransomware then emerged as the leading variant in the market, accounting for 17% of all observed cases last year.

While these declines are minimal, it’s a step in the right direction.

But how do we know if fewer people are reporting ransomware attacks? It’s understandable to question whether the decline in incidents may be due to a reduction in reporting.

Is there cause for optimism?

Brett Callow, renowned ransomware expert and threat analyst for Emsisoft, agrees that recent threat group disruptions may decrease the number of incidents. “Unfortunately,” he said, “that dip will only be temporary as the individuals involved with the operations start new ones or partner with other operations. However, the disruptions do have significant value in terms of swinging the needle of the risk-reward ratio more towards ‘risk’ and ‘intel gathering.’”

Callow equates countering ransomware to a game of whack-a-mole. But with more intel, he said, law enforcement can whack the moles faster.

Alex Dow, chief innovation officer for Mirai Security, attributes the decrease in ransomware statistics to several factors — including the war in Ukraine and improved EDR solutions. Dow, who has over 20 years of Security Operations Architecture and Incident Response experience, notes that many ransomware gangs are located in Russia and Ukraine.

“With the conflict raging and sanctions implemented, operating ransomware operations may be more difficult,” he said. “Beyond the obvious kinetic destruction and displacement of people, two other angles to consider: moving money around under sanctions has become impossible,  but more interesting is the potential that the talent is moving to support the war efforts on either side.”

Dow also notes that endpoint detection and response solutions are getting better at catching and stopping ransomware behaviors. “This greatly reduces the efficacy of ransomware attacks and the catastrophic outcomes,” he said. “The more companies that invest in defensive capabilities, the less effective ransomware attacks will become.”

The role of information sharing in incident response

Another crucial defense mechanism in any threat prevention strategy is information sharing.

According to Callow, information sharing is better than it once was, but there is still room for considerable improvement. “It’s critical that we get those improvements,” he said. As somebody once said, ‘Information is power and, in cybersecurity, it’s the power to prevent other similar events.’”

Dow, on the other hand, collaborates with several ISACS and works closely with the Mining and Metals ISAC. “Cyber criminals are moving away from spraying and praying and focusing on sectors that cannot afford to be impacted by ransomware,” he said. “Mining, along with most industrial sectors, cannot afford an interruption to operations, and that is exactly what ransomware does. Many of the industrial sectors lack a defensible IT, let alone OT architecture, and are thus vulnerable to material interruptions to operations. In the heavy industry space, operational interruptions are generally measured in millions of dollars per hour in loss. Attackers know this and are adjusting their sights to the most likely to pay.”

Thus, ISACs can and should play a critical role in helping industries fight ransomware.

Making sense of the statistics

In Callow’s experience, while it’s unclear whether the number of incidents has decreased, it appears that the number of ransoms being paid has decreased. “This is likely because organizations are getting better at protecting their backups and because OFAC (Office of Foreign Access Control) sanctions make payment riskier. I think we’ll see this downward trend continue in 2023,” he said.

Callow is optimistic about the downward trend. However, he also worries that groups could adopt more extreme tactics in an attempt to improve their conversion rates. “In particular, I think we’ll see groups try to make more use of exfiltrated data in order to weaponize customers and business partners,” he said.

Dow, who has spearheaded numerous ransomware remediation and incident response campaigns, said that the trends are moving towards targeting businesses and sectors that can’t afford to be impacted, have substantial tech debt and are likely to pay to alleviate the pain.

“This is not to say it’s only Fortune 500 companies,” Dow said. “There is certainly a plethora of small and medium enterprises that have and will be impacted.”

Is reporting actually down?

Neither expert can draw a correlation between lower ransomware numbers and a decrease in reporting. However, Callow reminds us that the FBI recently stated that only about 20% of ransomware incidents are reported. “We need to find ways to up that number,” he said. “If policymakers can’t see the impact of their policies, how do they know whether they’re working? At the moment, we don’t know whether attacks are on the rise or on the decline. That needs to change.”

While it’s possible the decline in ransomware incidents is due to a reduction in reporting, we must consider the possibility of improved cybersecurity measures, increased threat awareness or changes in the TTP (tactics, techniques and procedures) used by cyber criminals. In many cases, organizations may simply be better at preventing and detecting these incidents.

Ultimately, without enough context, it’s difficult to interpret these statistics and make any definitive observations. Either way, it is a positive sign whenever ransomware incidents decline — regardless of the reason. While some organizations continue to struggle, we can take solace in knowing that many others are taking steps to protect themselves.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today