Cybercriminals shift tactics to pressure more victims into paying ransoms

Ransomware didn’t just grow in the US in 2023, it evolved, with the frequency of ransomware claims jumping 64% year-over-year, according to At-Bay.

This was primarily driven by an explosion in “indirect” ransomware incidents which increased by more than 415% in 2023 than in 2022. Standing out among the biggest loss drivers were remote access tools, which accounted for 58% of ransomware attacks. Double leverage attacks – those using both data encryption and exfiltration – also grew by 51% in 2023, demonstrating that threat actors shifted their tactics to pressure more victims into paying ransoms.

“Vulnerabilities in remote access products continue to drive too many successful ransomware attacks,” said Rotem Iram, CEO of At-Bay. “Technology providers and cybersecurity professionals must prioritize securing the perimeter by default and improving response to emerging threats, understanding that small businesses are unlikely to be able to solve those on their own.”

Ransomware claims frequency grow

Ransomware claims frequency as a whole jumped 64% year over year, primarily due to the explosion of “indirect” ransomware claims whose frequency increased by 415%. Direct ransomware claims frequency increased by 17% in 2023. Attackers continued to exploit remote access technology, with 58% of direct ransomware incidents attributable to a remote access vulnerability. In addition, attackers shifted their focus from RDP to targeting self-managed VPNs, which accounted for 63% of the remote access ransomware events in 2023.

Two of the most popular self-managed VPNs stood out in ransomware claims data. Organizations using Cisco and Citrix self-managed VPNs were 11X more likely to fall victim to a direct ransomware attack than those using a cloud-managed VPN or no VPN at all. In contrast to the frequency, the severity of ransomware attacks dropped in At-Bay’s portfolio year-over-year.

Likely driven by more businesses successfully restoring from backups in the wake of an attack, the average cost of a direct ransomware attack decreased by 24% in 2023, to $370,000. The research has shown that companies who failed to restore their data from backups were 3X more likely to pay a ransom than those who couldn’t. Business interruption costs were also lower.

LockBit and BlackCat/ALPHV overshadowed other threat actors

The average ransom demand by attackers exceeded $1.26 million in 2023, though the average amount paid came in at $282,000, 77% lower than the initial demand on average. A ransom payment was avoided in more than half (54%) of the incidents At-Bay saw.

A combination of data encryption and exfiltration was the most common direct ransomware tactic. This double leverage tactic was used in 51% of incidents and was also the most costly for businesses. Encryption and exfiltration events saw the highest median ransom paid ($195,000) over encryption-only incidents ($66,000) or exfiltration-only incidents ($110,000).

LockBit and BlackCat/ALPHV far overshadowed other threat actors. Of the 41 unique ransomware strains observed over 2023, LockBit and BlackCat/ALPHV were used in 35% of all direct ransomware attacks.

“Too often, real-world data on cyber risk and its correlation with financial losses is inaccessible to businesses,” said Tara Bodden, General Counsel and Head of Claims at At-Bay. “As an InsurSec provider, our visibility into both empirical claims and cyber research data uniquely enables us to surface meaningful correlations with great accuracy. We’re committed to increasing transparency in the security ecosystem by sharing our data insights, and better enabling organizations to deploy their scarce cybersecurity resources for maximum impact.”