State of Ransomware: 2023 Midyear Review

August 2, 2023

Each year, ransomware continues to pose a critical threat to organizations worldwide in all industry verticals. The first half of 2023 has been no different, as ransomware remains a top threat for organizations. Thus far in 2023, ransomware groups have partnered with multiple cybercriminal groups and disrupted thousands of business operations, costed organizations millions of dollars between ransom demands and recovery costs, and continued to name and shame victims on the Telegram application and data leak sites.


This blog post covers ransomware activity, trends, and mitigations during the first half of 2023, as well as what we expect looking forward. The numbers discussed throughout this blog only include victims listed on data leak sites. It is Almost Certain that the number of overall victims is significantly higher, as data leak sites do not typically list victims who pay a ransom within a certain timeframe.



Headlines, Headlines, Headlines

Like previous years, ransomware news continued to make headlines each week in 2023. One of the top stories included the takedown of the Hive ransomware operation, where law enforcement seized the group’s data leak site and servers in January 2023. As Lawrence Abrams reports, “The U.S. Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware group’s infrastructure in July 2022, when they secretly began monitoring the operation for six months. The operation allowed them to learn about attacks before they occurred and warn targets, and to obtain and distribute decryption keys to victims, preventing nearly $130 million in ransom payments.” In the seizure of the group’s servers, law enforcement collected affiliate, victim, and malware information. Abrams writes, “The ransomware gang’s Tor web sites now displays a seizure notice listing a wide range of other countries involved in the law enforcement agencies, including Germany, Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike other seizure notices, this one is an animated GIF that rotates the seizure notice in English and Russian.” The gTIC supports Abrams’ assertion that this GIF is Likely an attempt to warn other ransomware operations.


Along with Hive, the Clop ransomware operation (often associated with the TA505 or FIN11 cybercriminal groups) continued to make headlines. In February 2023, Clop claimed responsibility for the attacks targeting CVE-2023-0669 (CVSS score 7.2), affecting the GoAnywhere MFT software. The group claimed to have stolen data from more than 130 organizations. In April 2023, Clop ransomware operators reportedly targeted two vulnerabilities, CVE-2023-27350 (CVSS score 9.8) and CVE-2023-27351 (CVSS score 8.2), affecting PaperCut servers to target additional organizations. In May 2023, Clop ransomware operators claimed responsibility for targeting the MOVEit vulnerability, CVE-2023-34362 (CVSS score 9.8) and purportedly targeted more than 380 organizations; the group has listed 188 victims on their data leak site at the time of writing. This type of targeting has become an integral part of Clop’s operations. In 2021, the group targeted four vulnerabilities in the Accellion MFT software and stole data from those victims. This suggests that file transfer services and software are becoming targets of focus for ransomware operators and will Likely continue to be targeted over the next 12 months.


Clop operators have been observed skipping the encryption process during attacks, which allows them to spend more time collecting sensitive data and holding it for ransom. In May 2023, BianLian operators also skipped the encryption step and moved directly to exfiltration and extortion only attacks. This move was Likely in reaction to Avast security researchers releasing a ransomware decryptor and the proven success of groups like Clop.


The LockBit ransomware operation has been the most active variant month after month. However, in March 2023, the group fell to number two for the first time since September 2021. Clop surpassed the LockBit group with 100 victims posted to their data leak site and 99 posted by LockBit operators. Again, in June, LockBit fell to number two with 62 victims listed on their data leak site and 91 victims listed by Clop. These two instances are Likely due to the Clop group targeting the GoAnywhere MFT and MOVEit vulnerabilities.


In July 2023, the Clop ransomware operation took a chapter out of the Alphv ransomware playbook. Clop operators purportedly created internet-accessible websites dedicated to specific victims, which makes it easier to leak stolen data and apply additional pressure to the victims. This tactic, started by Alphv ransomware operators in 2022, makes it easier to leak the data and facilitate greater public visibility. Threat actors often use TOR browsers to host data leak sites. Many non-technical users do not know how to access these sites, search engines do not index the leaked data, and data downloads take longer. A clear web site allows anyone to visit the data, which could allow the data from victim organizations to be searched by employees, accessed by journalists, and indexed by search engines. The success of this tactic is unknown, as it is easier to take down these sites and, at the time of writing, all of the Clop-created sites have been taken down. Historically, ransomware groups have played follow the leader, and it is Likely that Clop attempted to follow a tactic that had proven successful for the Alphv group.


In February 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an advisory documenting tactics, techniques and procedures (TTPs) associated with North Korean ransomware operations targeting health care and critical infrastructure verticals. According to Bill Toulas, the document notes that “the funds extorted this way went to support North Korean government's national-level priorities and objectives.” These threat actors targeted Log4Shell (CVE-2021-44228), as well as the SonicWall (CVE-2021-20038) and TerraMaster NAS (CVE-2022-24990) vulnerabilities. Several of the variants observed were publicly available ransomware variants, and others were ransomware-as-a-service (RaaS) programs.



Ransomware Activity by Variant

In addition to the major headlines, 16 new ransomware operations operating a data leak site emerged in the first half of 2023, bringing the total active variants to 51 operations.


In the first half of 2023, 2,300 organizations were listed as victims on ransomware data leak sites, which represents an increase of over 70% compared to the first half of 2022. When comparing the first half of 2022 to the first half of 2023, the variants with the highest increase included Clop (a 774% increase from 23 victims to 201 victims), RansomHouse (a 400% increase from 6 victims to 30 victims), and Black Basta (a 136% increase from 50 victims to 118 victims). The highest decrease included Hive (a 94% decrease from 62 victims to 4 victims), Everest (a 88% decrease from 25 victims to 3 victims), and Cuba (a 88% decrease from 24 victims to 3 victims). Hive’s decrease in victims is Likely due to the group’s shutdown.


The most active groups in the first half of 2023 include LockBit with 528 listed victims, Alphv with 224 listed victims, and Clop with 201 listed victims. The graph below includes only the variants that posted more than 15 victims for the first half of 2023. The groups that were active but not included are: 0mega, Abyss, Bl00dy, Black Suit, CrossLock, Cryptnet, Cuba, Cyclops, Daixin, Dark Power, DarkBit, DarkRace, Donut, Dunghill Leaks, Everest, Hive, La Piovra, Lorenz, Money Message, Monti, NoEscape, NoName, Ra Group, Ragnar Locker, Rancoz, RansomEXX, Unsafe, and Vendetta.


State of Ransomware - 2023 Half Year_Picture1.png

Figure 1: Ransomware activity January 01-June 30, 2023



Geographic Numbers

In the first half of 2023, all geographies saw an increase in targeted attacks when compared to the first half of 2022. The top increases include Africa with 21 victims in the first half of 2022 and 48 victims in the first half of 2023 (a 129% increase), Oceania with 22 victims in the first half of 2022 and 48 victims in the first half of 2023 (a 118% increase), and North America with 627 victims in the first half of 2022 and 1,197 victims in the first half of 2023 (a 91% increase). The most targeted geography was North America, which has been the trend observed over the previous 24 months. 88.3% (1,057) of those victims were in the United States. Other increases included Asia (90%), South America (72%), and Europe (34%).


State of Ransomware - 2023 Half Year_Picture2.png

Figure 2: Victims by geography January 01-June 30, 2022, compared to January 01-June 30, 2023



Vertical Numbers

Like the geographies, all verticals observed an increase in ransomware targeting in the first half of 2023. Verticals with the largest increases included Institutions and Organizations with 14 victims in the first half of 2022 and 41 victims in the first half of 2023 (a 193% increase) Insurance with 21 victims in the first half of 2022 and 59 victims in the first half of 2023 (a 181% increase), and Telecommunications with 17 victims in the first half of 2022 and 39 victims in the first half of 2023 (a 129% increase). Financial Services also observed a 129% increase, from 93 to 213 victims. However, this increase is Likely due to the increase in insurance victims, as Insurance is a sub-vertical of Financial Services.


In the first half of 2023, Industrials remained the most targeted vertical, with 873 listed victims. This is Likely due to the fact that this vertical includes organizations in the Manufacturing, Construction & Engineering, Transportation, and Industrial Services verticals. These organizations are often targeted due to the inability to suffer significant downtimes, the amount of sensitive information stored on clients and partners, and the greater likelihood of a ransom payout. Technology and Consumer Cyclicals were the top two and three verticals targeted—with 284 and 264 victims named, respectively.


State of Ransomware - 2023 Half Year_Picture3.png

Figure 3: Victims by vertical January 01-June 30, 2022 compared to January 01-June 30, 2023



Looking Forward

When ransomware groups adopted the double extortion method from 2019-2020—arguably pioneered by the Maze Team ransomware cartel—they began operating in a business-like model. Trust was a core value of the groups, who operated by the model of “pay the ransom and get the decryption key.” However, by 2022, ransomware groups began showing less interest in building trust or a reputation. Groups come and go, rebrand, affiliates have little regard for the type of organization they target, and many do not follow the rules put in place by the earlier ransomware groups. Affiliate members and developers have reportedly been involved with multiple ransomware strains and campaigns, thus undermining the attribution to any particular group or operator(s).


Clop’s exploitation of multiple zero-day vulnerabilities to target hundreds of organizations at a time Likely had a significant effect on the number of ransomware incidents in the first half of 2023. While the shutdown of the Hive ransomware operation had a temporary effect on the landscape, the introduction of new operations and shifting affiliates Likely aided in softening that impact. The consistent shifting of affiliates and the emergence of new groups renders post-incident attribution less valuable and emphasizes the need to focus on a proactive and risk-based intelligence and defensive measures. It is Likely that Clop operators will continue to target high-profile zero-day vulnerabilities to conduct large scale extortion attacks over the next 12 months.


Ransomware groups have historically used phishing to gain initial access to victims’ networks and took advantage of global events to lure victims into interacting with the email. This technique will Likely remain a top intrusion vector throughout 2023. As uncertain times continue – remote working, the Russia/Ukraine war, economic instability, etc. – ransomware groups will use these events to exploit the fear and curiosity of employees to lure victims.


The gTIC assesses with High Confidence that ransomware will Likely remain a prevalent threat over the next 12 months. Despite high-profile ransomware incidents and government and law enforcement attention on ransomware operations, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2022-2023. Over the next 12 months, they are assessed to continue building infrastructure and capabilities around themselves as one-stop shops, with less reliance on marketplaces and forums. Critical verticals like Healthcare, Energy, Industrial Services (like Transportation), and Government are Likely to remain attractive opportunities for ransomware operators due to their high-value information, inability to have significant downtime, and likelihood of a ransom payment.


If attackers continue to make and profit from extortion payments, then targeted ransomware attacks will Very Likely continue over the next 12 months. More ransomware groups will Likely emerge as groups rebrand, fly-by-night operations increase, and relationships between affiliates and developers change. The double-extortion method will Very Likely remain the primary procedure across the ransomware threat landscape. Multiple groups have been observed conducting extortion-only attacks, where data is stolen but not encrypted. Given the history of ransomware groups following tactics that have proven successful, it is Likely that additional groups will begin extortion-only attacks over the next 12 months.


It is Likely that ransomware operators will increasingly partner with initial access brokers (IABs) to gain initial access and use remote access markets, which are automated stores that allow threat actors to sell and exchange access credentials. These roles and markets play an essential role in the ransomware landscape, as they allow quick access to victim environments.




Optiv’s gTIC makes the following mitigation recommendations for the threats highlighted in this report:


  • An organization’s planning should occur before a ransomware attack occurs, which includes the assumption that your organization will be targeted.
  • Ensure that data is backed up and that multiple backup iterations are saved and segregated. There are many methods to complete this, such as the 3-2-1 or 3-2-2 method.
  • Enable role-based access controls (RBAC), least-privilege policies, and allowlists or blocklists for tools, software, and applications. These prevent employees and adversaries from downloading and installing unauthorized software. They also deter adversaries from running administrator-level processes and commands on infected devices.
  • Prioritize patching based on a few considerations, which include the vulnerability’s impact on the organization’s data, the types and number of systems affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. The previously mentioned cybercriminal forum discussions relating to vulnerabilities can help organizations determine this information.
  • Ensure sensitive protocols like SMB, RDP, and UPnP are protected or disabled if they are not critical to operations. RDP servers and ports should be kept behind an RDP gateway and maintain strong and unique passwords.
  • Enable MFA for access to OWA and other login portals, virtual private network (VPN) clients and servers, and critical systems with sensitive data.
  • Implement an incident response plan (IRP) that includes the processes for data backup and restoration, notifying the appropriate team members and law enforcement, and ensuring business continuity.
  • Perform penetration testing and red team exercises that will allow you to identify weaknesses and fortify your defenses. Penetration testing coupled with a training exercise, such as a tabletop exercise, can help ensure that incident responders are prepared in the event of an incident.
  • Create a robust security awareness program that includes training on identifying phishing emails and how and when to report them to an incident response authority.
Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit