Initial ransomware demands reached a median of $600,000 in 2023, a 20% rise on the previous year, according to a new report by Arctic Wolf.
Several industries – energy & natural resources, retail and legal & government – received median demands of $1m or more per incident.
The research highlighted a number of factors that cybercriminals base the size of their initial demand:
- The resources of the victim, based on its size and financial position
- The victim organization’s industry, which influences their sensitivity to disruption and negative press
- The impact of the attack on the victim’s operations
- The extent of the victim’s insurance coverage
- The ego and mood of the attacker
The researchers found that the industry most commonly represented in ransomware group leak sites last year was manufacturing (708 posts on leak sites). The heavy targeting of this industry is likely due to manufacturers having little tolerance for production downtime.
This sector was followed by business services (450), education & non-profit (321) and retail & wholesale (305) in representation on leak sites.
The report noted that leak sites tend to be more likely to post data from victims that refuse to pay or are perceived by attackers as stalling.
LockBit the Most Prominent Threat Actor
A “handful” of ransomware variants dominated the threat landscape in 2023. The five groups encountered most often by Artic Wolf were BlackCat, LockBit 3.0, Akira, Royal and BlackBasta.
LockBit 3.0 claimed the highest number of victims, more than double the amount of the next highest, BlackCat.
The report noted that it is becoming more difficult for ransomware groups to survive and thrive, partly due the impressive work of law enforcement in disrupting operators’ infrastructure.
At the end of 2023, the FBI confirmed that the BlackCat group’s leak site was taken down.
In major news that broke on February 19, 2024, an international law enforcement operation took down LockBit’s infrastructure.
The researchers added that ransomware-as-a-service (RaaS) groups are being forced to compete for the allegiance of more affiliates, who are increasingly aligning with operators based on factors like the reliability of their tools and ability to evade law enforcement.
BEC Attacks Going Under the Radar
Business email compromise (BEC) incidents made up 29.7% of the total incidents investigated by Arctic Wolf in 2023. This vector outnumbered ransomware incidents by a factor of 10.
However, ransomware incidents are 15-times more likely than BEC to lead to an incident response investigation. This is because a BEC incident is typically less costly than that of a ransomware incident, and funds generated to a threat actor from a BEC attack are usually not recoverable.
However, BEC scams cost an average of $4.67m per incident.
The researchers said this vector has become attractive for threat actors due to its ease and effectiveness.
Publicly available information, such as company communications and professional networking sites, enable attackers to craft more tailored and convincing phishing emails. Additionally, the availability of generative AI tools makes it easier for cybercriminals to overcome barriers such as language to pursue BEC attacks.
The report cited figures from the FBI’s most recent Internet Crime Report, which estimated BEC losses to be $2.7bn in 2022 – 80 times greater than those caused by ransomware.
The researchers said: “Ransomware garners more headlines, but BEC incidents are effective and much easier to execute. Plus, only the most severe BEC incidents – for instance, those with account compromise or other intrusion actions – typically lead to a full IR engagement.”
Unpatched Vulnerabilities are a Leading Cause of Cyber Incidents
Nearly a third (29%) of non-BEC incidents investigated last year was caused by the attacker exploiting a vulnerability.
In around 60% of these cases, the vulnerability had been identified in 2022 or earlier, meaning organizations had a significant amount of time to patch the affected system or remove its external access.
Just 11.7% of non-BEC incidents featured a zero-day exploit.
The researchers added that over half of incidents caused by a vulnerability exploitation involved at least one of 10 vulnerabilities.
The most prominent of these was CVE-2023-34362, the MOVEit Transfer SQLi vulnerability, which led to a surge in ransomware incidents in May and June 2023.