Despite Law Enforcement Stopping Significant Q4 Activity, 2023 Ransomware Incidents Still Surpass 2022 by Nearly 70 Percent and Active Ransomware Gangs Grow by 34 Percent
BOSTON — Corvus Insurance, the leading cyber underwriter powered by a proprietary AI-driven cyber risk platform, today released its Q4 2023 Ransomware Report. Featuring data collected from ransomware leak sites, the report shows that while Q4 attacks were down slightly from Q3 2023, ransomware activity for the year surpassed 2022 totals by 68 percent.
Corvus Insurance closely monitored ransomware activity during 2023 and recognized early that attacks were occurring at a record-setting pace. Last year, ransomware attacks increased each of the first three quarters and then declined slightly in Q4. Significant international law enforcement activity in Q4 successfully disrupted the ransomware ecosystem, including taking down ALPHV/BlackCat, one of the most prolific ransomware gangs, and eliminating Qakbot, a pervasive family of malware used to gain access to victims’ networks.
As a result of law enforcement’s actions, Q4 attacks dropped by 7 percent from Q3, with 1,278 victims observed on ransomware leak sites. Despite this sequential quarterly drop, Q4 2023 activity was still up year over year. In addition, 2023 established a new record for ransomware attacks with 4,496 total leak site victims, compared to 2,670 in 2022 and 3,048 in 2021.
“While ransomware activity spiked to an all-time high in 2023, the real story here is the incredible impact law enforcement had on these groups as we closed out the year,” said Jason Rebholz, CISO, Corvus Insurance. “Unfortunately, there’s no time to celebrate. Threat actors are resilient and have quickly pivoted to new malware, which means everyone must remain vigilant in their commitment to mitigating these threats.”
Factors driving ransomware numbers over the quarter:
Threat Actor Resilience
Fortra PhishLabs reports that Qakbot, also called QBot, was the most commonly observed malware family spread via email in Q3 2023. While international law enforcement took down the Qakbot malware network in Q3, it still accounted for 31 percent of the total ransomware volume for the quarter. Its absence in Q4, along with the threat actors’ search for new capabilities to fill the void, likely contributed to the lower-than-expected number of ransomware victims and the slight decrease in victims in Q4. But this disruption didn’t keep threat actors down for long—Corvus identified a noticeable shift to other malware strains such as “Pikabot” and “DarkGate,” which were used to gain initial access to victim networks.
More Active Ransomware Groups
The number of active ransomware groups increased by 34 percent between Q1 and Q4 2023. This increase can be attributed to the fracturing of well-known ransomware groups that leaked their proprietary encryptors on the dark web, making them available to new actors who started ransomware operations. For example, at least 10 new ransomware groups have used Babuk’s encryptor, which leaked in 2021. In addition, members of larger defunct groups began forming splinter groups, which increased the number of ransomware gangs conducting attacks.
“While many will remember 2023 for its record-setting number of ransomware attacks, what is equally noteworthy is the resiliency of threat actors who, despite growing action from law enforcement, were quick to use new forms of malware to secure initial access,” Rebholz said. “Throughout 2024, we will undoubtedly witness much of the same activity, as criminals continue to attack, shift, re-brand, and strike again. Businesses should remain prepared with enhanced security controls and cyber insurance policies to help minimize risk.”
Key Industry Trends
Law Practices
In Q3, the ALPHV/BlackCat ransomware group accounted for nearly a quarter of all victims in the legal industry (23.5 percent). This number declined by 8.8 percent in Q4, likely the result of law enforcement disruption that occurred in December.
Transportation, Logistics, and Storage
The transportation, logistics, and storage industry experienced consistent increases throughout 2023. Lockbit 3.0 accounted for 22 percent of victims, while ALPHV/BlackCat made up 15.87 percent. Given the nature of the work, businesses in this industry are sensitive to business interruption and may present attractive targets to threat actors looking to put pressure on victims to pay for decryption.
Read the full Corvus Q4 Ransomware Report here. To learn more, join the deep-dive webinar, “Cyber Threats in 2024: What Claims Data Tells Us About the Dark Web,” featuring Corvus experts.