Initial ransomware demands jump 20% to $600,000 in 2023


Initial ransomware demands reached a median of $600,000 in 2023, a 20% increase from the previous year, according to a new report from Arctic Wolf.

Several sectors – energy and natural resources, retail, law and government – ​​received median requests of $1 million or more per incident.

The study highlighted a number of factors on which cybercriminals base the size of their initial request:

  • The resources of the victim, depending on their size and financial situation
  • The victim organization’s industry, which influences its sensitivity to disruption and negative press
  • The impact of the attack on the victim’s operations
  • The extent of the victim’s insurance coverage
  • The attacker’s ego and mood

Researchers found that the most represented industry on ransomware group leak sites last year was manufacturing (708 posts on leak sites). THE massive targeting of this industry is likely because manufacturers have little tolerance for production downtime.

This sector was followed by business services (450), education and nonprofits (321), and retail and wholesale (305) in terms of representation at leak sites.

The report notes that leak sites tend to be more likely to post data from victims who refuse to pay or who are perceived by attackers as latecomers.

LockBit, the largest threat actor

A “handful” of ransomware variants dominated the threat landscape in 2023. The five groups most commonly encountered by Artic Wolf were BlackCat, LockBit 3.0, Akira, Royal, and BlackBasta.

LockBit 3.0 had the highest number of victims, more than double the next number, BlackCat.

THE report noted that it is increasingly difficult for ransomware groups to survive and thrive, in part because of the impressive work of law enforcement to disrupt operators’ infrastructure.

At the end of 2023, the FBI confirmed that the BlackCat Group Leak Site was dismantled.

In major news that occurred on February 19, 2024, an international law enforcement operation destroyed LockBit’s infrastructure.

The researchers added that ransomware-as-a-service (RaaS) groups are forced to compete for the allegiance of more affiliates, who increasingly align themselves with incumbent operators. factors such as the reliability of their tools and their ability to evade law enforcement.

BEC attacks go under the radar

Business email compromise (BEC) incidents accounted for 29.7% of total incidents investigated by Arctic Wolf in 2023. This vector outnumbered ransomware incidents 10 times.

However, ransomware incidents are 15 times more likely than BEC incidents to result in an incident response investigation. This is because a BEC incident is generally less costly than a ransomware incident, and funds generated by a malicious actor following a BEC attack are generally not recoverable.

However, BEC scams cost an average of $4.67 million per incident.

Researchers said this vector has become attractive to threat actors because of its ease and effectiveness.

Publicly available information, such as company communications and professional networking sites, allows attackers to create more personalized and convincing phishing emails. Additionally, the availability of generative AI tools makes it easier for cybercriminals to overcome barriers such as language to pursue BEC attacks.

The report cited FBI figures latest report on internet crimewhich estimates BEC losses at $2.7 billion in 2022, 80 times higher than those caused by ransomware.

The researchers said: “Ransomware grabs the headlines, but BEC incidents are effective and much easier to execute. Additionally, only the most serious BEC incidents – for example, those involving account compromise or other intrusion actions – typically lead to full IR engagement.

Unpatched vulnerabilities are a leading cause of cyber incidents

Nearly a third (29%) of non-BEC incidents investigated last year were caused by the attacker exploiting a vulnerability.

In about 60% of these cases, the vulnerability was identified in 2022 or earlier, meaning organizations had plenty of time to update the affected system or remove external access to it.

Only 11.7% of non-BEC incidents included a zero-day exploit.

The researchers added that more than half of incidents caused by vulnerability exploitation involved at least one in ten vulnerabilities.

The most significant of these was CVE-2023-34362, the MOVEit Transfer SQLi vulnerability, which led to a increase in ransomware incidents in May and June 2023.

Leave a comment