Last year was marked by an onslaught of ransomware attacks, impacting organizations across the board with varying degrees of sophistication and detrimental consequences, Rapid7 researchers found.

The report examined ransomware statistics from 2023, drawing from a blend of publicly available data, ransomware group posts and Rapid7’s own incident data.

While many ransomware groups employed leak sites to intensify pressure on victims, the number of unique ransomware families decreased by over half, suggesting existing models remain profitable.

The researchers noted reports of around 5,200 ransomware cases in 2023 might, in fact, underestimate the actual count due to the likelihood of unreported attacks.

Coveware reported an average ransom payment of $850,700 in Q3 2023, representing only a fraction of the total costs, including downtime, reputation damage, lost business, labor hours, increased insurance coverage and legal fees. Alarmingly, 41% of victims chose to pay the ransom.

The top five active ransomware groups, supported by robust initial access brokers, included Alphv (BlackCat), BianLian, Cl0P, LockBit and Play. Analyzing their methods against the MITRE ATT&CK model, Rapid7 Labs mapped out the modus operandi of these attacks.

Several ransomware groups underwent transformations or ceased operations last year, reflecting the dynamic nature of the landscape.

Notable instances include the disruption of Hive ransomware in January, BlackByte’s rebranding to Black Suit, and the exit scam executed by NoEscape (formerly Avaddon).

Looking ahead to 2024, the report predicted the top five groups are expected to persist, while emerging groups such as Cactus, Rhysida, 8base, Hunters International, Akira and the recently surfaced Werewolves group demand vigilance, indicating the evolving nature of ransomware threats.

Patrick Tiquet, vice president of security and architecture at Keeper Security, said ransomware groups employ a variety of tools and techniques to carry out their attacks, including phishing kits, malware, brute force tools and data exfiltration tools.

“Defending against these tools requires a combination of robust cybersecurity measures, including advanced threat detection, endpoint protection, network segmentation and user education,” he explained.

Rather than focusing solely on identifying specific ransomware variants, organizations need to pivot toward understanding and mitigating the underlying tactics, techniques and procedures (TTPs) employed by attackers.

“This strategic shift acknowledges that threat actors are increasingly leveraging existing malware with modified TTPs, making it crucial to recognize broader attack vectors,” he said.

Continuous monitoring of network and endpoint activities is essential for real-time detection and response, allowing organizations to contain and mitigate the impact of ransomware incidents promptly.

“Organizations must take a proactive approach to regularly update software and immediately patch vulnerabilities that can be exploited in cyberattacks,” Tiquet added. “While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations.”

He pointed out that addressing the resilience of ransomware groups like AlphV requires a concerted and coordinated effort on a global scale.

“The many formidable challenges these groups pose to authorities include the global and decentralized nature of operations, the continuous evolution of sophisticated techniques and jurisdictional limitations,” he says.

To effectively address these challenges, the sharing of relevant and accurate threat intelligence and international collaboration is imperative.

From the perspective of Sarah Jones, cyber threat intelligence research analyst at Critical Start, the escalating prevalence of ransomware attacks necessitates a fundamental shift from passive security measures to a proactive, multi-layered cybersecurity strategy.

“While the diversity of unique ransomware families may be decreasing, attackers are refining their methods, concentrating on targeted strikes, and continuously evolving their malware,” she said. “This demands a watchful and adaptable approach.”

Jones says general cybersecurity hygiene—including regular patching of vulnerabilities and implementing strong password policies—forms the bedrock of defense against any threat.

Implementing comprehensive solutions like endpoint detection and response (EDR), vulnerability management and security awareness training forms the foundation of an organization’s defense, analogous to well-equipped guards, secure infrastructure, and a knowledgeable citizenry.

“Regularly conduct backups to secure locations and test restoration processes to ensure a swift and effective recovery in the event of an attack,” she added. “By implementing these strategies and staying abreast of the evolving landscape, organizations can build a robust cybersecurity posture and navigate the rising tide of ransomware effectively.”