Incident Response & Threat Intelligence
Threat Advisory
Incident Response & Threat Intelligence

GRIT Ransomware Annual Report 2023 (Q1-Q4)

Download Now

2023 Ransomware Analysis Report

2023 saw an 80% YoY increase in ransomware activity, driven in part by multiple mass exploitation campaigns impacting hundreds of organizations. In total, GRIT observed 63 distinct ransomware groups leverage encryption, data exfiltration, data extortion, and other novel tactics to compromise and publicly post 4,519 victims across all 30 of GRIT’s tracked industries, and in 120 countries.

“While mass exploitation campaigns contributed substantially to this large increase, we saw a significant increase in ransomware activity overall,” said Drew Schmitt, Practice Lead, GRIT. “New entrants in the ransomware ecosystem had repeated opportunities either through reduced technical barriers such as the recycling of leaked ransomware builders and commodity malware, or the recycling of previously leaked data for attempted re-extortion and claims of attacks that never were.”

  • Manufacturing and Technology remain the two most-impacted industries representing 12.9% and 7.9% of all victims, respectively. Manufacturing was the most impacted industry for almost every month in 2023, excluding May, when it placed behind Technology by a single observed victim. From an industry perspective, GRIT observed most impacts affecting a limited subset of industries with roughly 2/3 of all observed victims belonging to one of the “top ten” most-impacted industries. 
  • The United States was by far the most impacted country in 2023. Among posted victims, 2,199 were US-based organizations, accounting for 49% of all observed ransomware attacks in 2023. Eight out of the ten most impacted countries were within North America and Europe, with Brazil and Australia as the sole outliers. The same “top ten” most impacted countries were home to 76% of all observed victim organizations, of which 27% impacted non-US countries.
  • The top three most prolific Established groups—LockBit, Alphv, and Clop—continue to account for not just the lion’s share of victims but also much of the innovation and tactical changes across the ransomware ecosystem. 

In 2023, ransomware continued to increase in terms of impact, sophistication, and the number of participating actors, indicating that the ransomware ecosystem has not yet reached a point of market saturation. GRIT expects ransomware impacts to continue on an upward trajectory in 2024 based on Established groups continuing to leverage high-severity and zero-day vulnerabilities as a reliable means of exploiting victims at scale.

This report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape.