Ransomware Report 2023: Outpost24 reveals the numbers behind targets, motives, and trends

London, U.K. – 7th February 2023 – After closely monitoring the most active ransomware groups in 2022, the KrakenLabs team at Outpost24 are sharing their latest report that delves deep into the significant ransomware trends, threat groups, victim profiles, and motives behind these attacks from the past year. In total, the researchers identifiied 2,363 disclosed victims by various ransomware groups on Data Leak Sites (DLS) in 2022, with an estimated $450 million paid in ransom by victims

A detailed research report, which is available here, uncovered the following findings surrounding the evolving ransomware landscape:

  • Most active ransomware groups: Existing entities like LockBit, BlackCat, Hive, and Karakurt have demonstrated exponential growth and have surpassed previous records despite the disappearance of prominent threat groups such as CONTI and the old REvil;
  • Frequently attacked countries: From the 101 different countries that registered victims, 42% of them are from the United States. The UK second on the list followed by Canada, Germany and France. In fact, 28% of victims were from Europe.
  • Worst offender: Last year, the ransomware group known as LockBit exhibited a significantly higher level of activity compared to other groups. They were responsible for 34% of all recorded attacks in 2022.
  • Sector most at risk: While critical infrastructure sectors accounted for just over half of the attacks perpetrated (51%), construction was the most targeted sector overall.

The research aims to help individuals and organisations be aware of the latest trends and attack patterns, as well as tactics, techniques, and procedures (TTPs) that ransomware gangs are deploying. Ultimately, helping potential victims to better mitigate the risk.

Further analysis by Outpost24 also revealed time periods in which the tables were turned, and ransomware groups were under DDOS (distributed denial of service) attack. In week 35 of 2022 LockBit group claimed that they were being attacked as a consequence of leaking stolen data from Entrust, a cybersecurity company that was attacked previously by them. Outpost24 KrakenLabs detected that not just LockBit, but many other ransomware DLSs were suffering DDOS attacks during this period. It is likely the attackers were aiming to cause disruption for the ransomware groups during the extortion process.

The recent clampdown of Hive, following REvil, is a positive sign for all however organizations must ensure they keep their guards up against this constant evolving threat by prioritising cyber hygiene through regular vulnerability assessment, security testing and combining detection with threat intelligence to surface risk signals that can help prevent infection. Alejandro Villanueva, Threat Intel Analyst at Outpost24.

To view the report, please click here.

About Outpost24

The Outpost24 group helps organizations limit their digital exposure with a complete range of cyber risk management solutions. Outpost24’s cloud platform unifies asset inventory, automates security assessments, and quantifies risk in business context. Executives and security teams around the world trust Outpost24 to prioritize the most important security issues across their entire IT infrastructure for accelerated risk reduction. Founded in 2001, Outpost24 is headquartered in Sweden, with additional offices in the US, the UK, the Netherlands, Belgium, Denmark, France, and Spain. https://outpost24.com/