IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Are We Seeing Fewer Ransomware Attacks? Not Now

Despite what you may have heard, ransomware threats continue to grow and evolve in mid-2023. Here’s what you need to know.

A city skyline with a bar graph superimposed over it.
As I walked the show floor at the RSA conference and held meetings with vendors and clients in San Francisco last month, I heard a surprising theme that I disagreed with.

The conversation often started with something like this: “Great book with cyber stories, but isn’t ransomware dying?” (Note: They were referring to the book I co-authored with Shamane Tan called Cyber Mayday and the Day After.)

Or, “Ransomware is way down, isn’t it?”

Or, “What’s your biggest fear, now that ransomware is going away?”

And no, these colleagues and “industry experts” from an assortment of cyber vendors were not delusional, just misinformed. When I asked one colleague to send me some proof, he sent me several articles backing up his claims:

Security Magazine Ransomware attacks decreased 61% in 2022: “The 2022 State of Ransomware Report from Delinea and conducted by Censuswide surveyed 300 U.S.-based information technology (IT) decision-makers about the impact of ransomware on their organizations over the past year. The survey found that 25% of organizations were victims of ransomware attacks over the past 12 months, a 61% decline from the previous 12-month period, when 64% of organizations reported being victims.”

Security Week Ransomware Revenue Plunged in 2022 as More Victims Refuse to Pay Up: “According to data from Coveware, a company that helps organizations respond to ransomware attacks, the percentage of companies that paid up in 2022 dropped to 41%, from 50% in 2021 and 70% in 2020.”

TechTarget July [2022] another down month in ransomware attack disclosures: “SearchSecurity has tracked ransomware in 2022 via a database of public reports and disclosures, as well as an article series that covers the most notable attacks each month. According to SearchSecurity's data sets, there was approximately a 300% drop between attacks in January and June. July saw similar numbers, with just 13 confirmed disclosures last month; in addition, only three disclosures were for attacks in July.”

Inside P&C Cyber frequency fell 22% in 2022 as ransomware dropped 54%: Coalition: "Cyber claims frequency declined 22% year over year in 2022, driven mostly by a 54% drop in ransomware attacks, according to InsurTech Coalition.”


While there is debate about how much ransomware incidents dropped in 2022, the trend (if there ever was one, which I doubt) has certainly flipped in 2023. Consider these reports:

PoliticoRansomware comes back with a vengeance: “Researchers at a leading cryptocurrency tracing company have bad news for Washington: Ransomware is back, and it might be worse than ever.

“Through the first four months of this year, cybercriminal gangs are on pace to surpass their earnings from a record-setting 2021, according to new data collected by Chainalysis.

“The bounceback in extortion revenue follows a 40 percent dip in ransom payments in 2022, which many had interpreted as a promising sign the Biden administration was making headway against keyboard crooks.”

WION: Nearly two-thirds of India-based companies victims of ransomware attack: “In an alarming statistic that describes the State of Ransomware in 2023, it has been revealed that 73 percent of India-based organisations surveyed by cybersecurity company Sophos were victims of ransomware attacks.”

The Hacker News Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code: "The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems.

"While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a report shared with The Hacker News."

Insurance Journal Viewpoint: Could Increasing Ransomware Frequency Bring Back Repeat of Hard Market?: “Insurance pricing is cyclical. When loss ratios are sustainably higher, over time prices rise in response, creating a hard market. The last hard market in cyber was in 2021 when an onslaught of ransomware and high-profile cyber attacks drove a spike in demand for cyber insurance and a decreased supply of capital, which led to increased premiums.

“Once prices are higher and loss performance begins to improve, the market looks appealing — driving new entrants and adding pressure on existing players trying to stay competitive. This drives prices back down and creates a soft market. Eventually, the loss ratio climbs back up, and the cycle inevitably begins anew.”

So if ransomware isn't going away, what are some important 2023 ransomware trends to watch?

First, be aware that backup repositories are targeted in 93 percent of ransomware attacks, according to Infosecurity magazine and Veeam’s 2023 ransomware trends report: “Veeam also found that in 93% of ransomware incidents, the threat actors target the backup repositories, resulting in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) of backup repositories being completely lost."

Second, the report showed that organizations are still ill-prepared to face this threat: “Most (80%) continue to pay the ransom despite multiple advisories against it. They primarily do that to get their data back, yet 21% don’t, even after paying the ransom.”

Third, Infosecurity magazine also claims that the time to deploy ransomware has dropped 94 percent: “Phishing remained the No. 1 initial access vector last year, identified in two-fifths (41%) of incidents, followed by exploitation of public-facing applications (26%).”


I found this U.K. ransomware story with a twist to be interesting: “Rogue IT worker extorted company after hijacking ransomware attack.” Here's an excerpt: “An IT worker in the UK has been convicted of unauthorized computer access and blackmail after attempting to take advantage of a ransomware attack on his employer.

“Ashley Liles was found to have attempted to blackmail his employer, Oxford Biomedica, into paying a ransom in the wake of a 2018 security breach. …

“Liles accessed board members’ private emails more than 300 times and altered the original ransom note to change the payment address to his own cryptocurrency wallet.”

This story just highlights the importance of addressing insider threats and employee ethics and integrity — even during a ransomware emergency.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.