Ransomware: 2023's top attacks and need-to-know stats

James Dyer | 30th May 2022

As we navigate through 2023, ransomware attacks continue to grow in scale and sophistication. This year has already witnessed an alarming number of high-profile incidents (at the time of writing), meaning ransomware attacks remain one of the most significant cybersecurity threats organizations face.

Ransomware encrypts files, databases, or entire systems, and holds them hostage until the victim organization pays the ransom demanded. These attacks can cripple businesses, disrupt critical infrastructure, cause severe financial losses, and in some cases, can lead to loss of human life when a hospital or healthcare system is targeted. In recent years, ransomware has become increasingly targeted and advanced, exploiting vulnerabilities in an organization's security.

As ransomware continues to evolve, so do the tactics and techniques employed by cybercriminals. There has been a rise of double and triple extortion, where attackers not only encrypt the data but also threaten to leak sensitive information or launch further attacks, thereby increasing pressure on victims to pay the ransom. Furthermore, ransomware-as-a-service (RaaS) models have proliferated, making these attacks more accessible to even less technically skilled criminals.

45% of all ransomware attacks start with a phishing email, therefore it is vital to enhance your defenses. Increasingly, organizations are deploying ICES, such as Egress Defend, to stop the advanced phishing attacks that act as a vehicle for ransomware. We explore some of the more significant attacks reported so far in 2023 below, and key data surrounding ransomware, the groups behind these attacks, and their targets. 

Important ransomware statistics for 2023

Who are the most active ransomware gangs, at the time of writing?

LockBit is the most active ransomware gang so far in 2023, with 273 victims named on leak sites in Q1 of 2023, followed by Clop, who leaked 102, then BlackCat (AlphV), responsible for 87 listings on leak sites. Clop named 99 organizations on its data leak site in February 2023, based on their GoAnywhere MFT zero-day vulnerability campaign, that allegedly breached 130 victims.

In January 2023, the FBI seized the Hive ransomware gang's servers after a months-long disruption campaign. Infiltrating the group's infrastructure in July 2022, the FBI accessed decryption keys, prevented a $130m ransom payment, and confiscated dark web and internal site servers. This significant event highlights the risks of ransomware groups remaining active for extended periods. Hive first emerged in June 2021, claiming over 200 victims on its data leak site before being shut down.

Which countries are targeted most by ransomware gangs?

850 organizations were listed on data-leak sites in Q1 alone. The most targeted country was the United States with 45.6% of ransomware victims named on data-leak sites.  The other countries in the top five are the UK, Canada, France, and Germany.

Cost of ransomware attacks

In 2022, the average cost of a ransomware attack was $4.54m, according to the IBM Cost of a Data Breach Report. As well as any ransom payments, this figure also includes indirect costs, such as downtime, recovery, and finding and fixing the vulnerability. Giving an accurate average cost is challenging because not every company reports incidents, ransom demands vary, and not every company pays the demand. For example, the most costly demand ever reported was the attack on Kaseya, with a ransom demand of $70m, while the average ransom payment in 2022 was $812,360.

Top ransomware attacks of 2023

Royal Mail

The UK postal service Royal Mail's overseas deliveries were severely disrupted on 10th January 2023 by a ransomware attack by Russia-based LockBit. The cyberattack affected the systems used to dispatch international deliveries. The incident is particularly significant as Royal Mail is considered critical national infrastructure for the U.K. economy. 

Before the issue was resolved, Royal Mail advised customers not to send international letters and parcels, they have since continued regular operations. Domestic deliveries remained unaffected. The National Crime Agency and the National Cyber Security Centre are currently investigating the incident (at the time of writing this article).

Yum! Brands

On 18 January 2023, Yum! Brands, the operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill, was targeted by a ransomware attack that forced 300 locations in the U.K. to close for one day. The company initiated response protocols and engaged cybersecurity professionals and law enforcement. Yum! Brands confirmed data was stolen but found no evidence that customer databases were compromised. The company filed an 8-K form with the SEC, stating it doesn't expect the attack to impact its business, operations, or financial results adversely.

Tucson Unified School District

Southern Arizona's biggest school district, Tucson Unified School District, fell victim to a ransomware attack in late January. The attack disrupted internet and network services, forcing schools to operate offline. Staff found printed letters revealing that Royal was behind the attack, which encrypted and copied the district's data. While the ransom sum remains undisclosed, reports suggest that Royal proposed a "special arrangement" to decrypt, restore, and maintain the confidentiality of the district's data.

ION

At the start of February, ION, a financial trading service provider, experienced a ransomware attack that affected their clients, including major banks, brokerages, and hedge funds. LockBit took responsibility for the attack and received an undisclosed ransom payment. Neither ION nor LockBit disclosed the name of the wealthy benefactor who paid the ransom.

Tallahassee Memorial HealthCare

Following a ransomware attack in early February, Tallahassee Memorial HealthCare in Florida was offline for nearly a week. The result was limitations on surgeries and procedures performed, and some emergency patients were redirected to other hospitals. The hospital resorted to paper records and handwritten patient notes during the attack. Details about the incident remain scarce due to security, privacy, and law enforcement concerns.

Florida Supreme Court

In February, the Florida Supreme Court was among over 3,800 victims of a rapidly spreading global ransomware attack targeting several U.S. and Central European universities. The digital extortion campaign had affected thousands of servers in Europe and was considered a significant online threat. 

The Florida Supreme Court's main network remained unaffected, as the impacted infrastructure was segregated and used to administer other state court system elements. The cybercriminals reportedly extorted only $88,000 in this campaign; a relatively modest amount compared to the multimillion-dollar ransoms typically demanded by some hacking groups.

B&G Foods

Food retailer B&G Foods, known for over 50 brands such as Crisco, Cream of Wheat, Green Giant, and Ortega, fell victim to a cyberattack by Daixin Team on February 4. The ransomware collective allegedly encrypted approximately 1,000 hosts and released extracted files on their site. The files contained internal corporate documents but excluded sensitive data concerning the organization, employees, or subcontractors. B&G Foods refrained from engaging with Daixin Team, and no details have been disclosed regarding the ransom demanded.

Dole Food Company

Dole Food Company, a major global producer and distributor of fresh fruit and vegetables, experienced a ransomware attack that affected its operations. While the company is still investigating the scope of the incident and has described the impact as limited, it has engaged third-party experts to help remediate and secure the affected systems. Law enforcement has also been notified. Due to the attack, Dole shut down its production plants in North America and halted shipments to grocery stores, resulting in shortages of prepackaged salads on store shelves. The company implemented its crisis management protocol, which includes returning to manual operations to resume production and shipments, at a slower pace.

U.S. Marshals Service

The U.S. Marshals Service (USMS) investigated a ransomware attack that impacted one of their stand-alone systems containing sensitive law enforcement data, including personal information of subjects under investigation and select employees. Detected on February 17, the compromised system has been disconnected from the USMS network for investigation. The USMS Witness Security Files Information System database remained intact. This incident follows a 2020 breach that exposed data on over 387,000 past and present inmates.

Maximum Industries

The ransomware gang LockBit claims to have breached Maximum Industries, a supplier for SpaceX, and stolen 3,000 proprietary schematics. The cybercriminals threatened to leak or sell the blueprints starting from March 20, 2023, if their ransom demands were unmet. The usefulness of the stolen schematics may be limited, as manufacturing and using the parts without raising suspicion would be challenging.

Top ransomware attacks of 2022

Regal Medical Group

Regal Medical Group, an affiliate of Heritage Provider Network, reported an attack on January 2, 2023. A month prior, attackers accessed and exfiltrated patient data before encrypting files. The breach affected 3,300,638 patients, making it the largest healthcare data breach reported that year. Regal Medical Group implemented additional security measures and offered affected individuals a 12-month Norton LifeLock credit monitoring program subscription.

New York City Bar Association

The New York City Bar Association was hit by a ransomware attack in December 2022, as reported by DataBreaches.net in January. The ransomware attackers, CLOP, gained access to the bar's files, claiming to have downloaded over 1.8TB of data. The attackers accused the bar of not taking its data security obligations seriously and suggested lawsuits from victims and fines from regulators. CLOP posted screenshots of a portion of the bar's file directory and passports of certain individuals as proof of their claims.

Red Cross

In January 2022, a ransomware attack targeted a Red Cross third-party contractor, compromising the records of over 500,000 highly vulnerable individuals. Those affected were people separated from families due to conflict, migration, disaster, and detainees. The Red Cross halted its servers for investigation, but the attacker remains unidentified.

Nvidia

In February 2022, chipmaking giant Nvidia suffered a ransomware attack by the hacking group Lapsus$. The breach resulted in the theft of 1TB of data, including 71,000 employees' credentials, graphics card designs, and Nvidia A.I. rendering system source code. The system was offline for two days following the attack.

Toyota

Hackers attacked three Toyota suppliers between February and March 2022: Kojima Industries, Denso, and Bridgestone. The Kojima attack caused a temporary closure of 14 Toyota plants in Japan, reducing monthly production capacity by 5%. The Bridgestone attack led to U.S. network and production facility shutdowns.

Costa Rica

In April 2022, ransomware attacks disrupted Costa Rica's essential services, causing thousands of medical appointments to be rescheduled and tax payments affected. Some organizations reverted to pen and paper. In May, Costa Rica declared a state of emergency - a global first due to a ransomware attack. Conti ransomware, linked to Russia-based 'Wizard Spider,' was identified as the cause. The U.S. government offered a $10m reward for information on the group.

Shoprite

In June, Africa's largest supermarket chain, Shoprite Holdings, suffered a ransomware attack. With over 3,000 stores and 150,000 employees, the $5.8bn company was targeted by RansomHouse. The threat actor criticized Shoprite on Telegram for keeping copious amounts of personal data in plain text, claiming to have obtained 600GB of unprotected data.

Top ransomware attacks of 2021

Colonial Pipeline

In May 2021, the DarkSide group attacked Colonial Pipeline with ransomware through a compromised, unused VPN account password. The attack affected the U.S. East Coast oil infrastructure, causing panic buying and fuel shortages. Colonial Pipeline paid the $4.4m ransom, with the FBI recovering $2.3m a month later. Implementing multi-factor authentication could have easily prevented this breach.

Acer

In March 2021, Taiwanese computer manufacturer Acer was attacked via a Microsoft Exchange vulnerability. Exposed data potentially included client lists, payment information, and financial documents. Acer reportedly paid a record $50m ransom, making it the highest known ransomware payment to date.

Kia Motors America

In February 2021, Kia Motors America faced a DoppelPaymer ransomware attack, resulting in widespread system outages affecting mobile apps, payment and phone services, owner portals, and dealership systems. The attackers demanded a $20m ransom for decryption and to prevent data leaks. Parent company Hyundai possibly experienced a similar attack due to concurrent outages. 

D.C. Police Department

In April 2021, the Metropolitan Police Department in D.C. fell victim to a ransomware attack by the Russian Babuk group. The department's refusal to pay the $4m ransom led to massive exposure of internal information. The incident is the most damaging ransomware attack on a U.S. police department to date.

JBS USA

On May 30, 2021, the REvil ransomware group targeted global beef manufacturer JBS USA, causing a shutdown of operations until June 3. JBS paid $11m ransom after halting operations at 13 meat processing plants. The incident raised concerns with the White House and the U.S. Attorney General over ransomware attacks as national security threats.  

Kaseya

On July 2, 2021, software provider Kaseya was attacked, with threat actors exploiting its platform to deploy ransomware to end customers' networks. This incident highlights the rising risks in software supply chains, as cybercriminals increasingly target providers to infiltrate multiple organizations simultaneously through malicious code in software updates.