New report: An analysis of disclosure and messaging from open sources

  • Ransomware attacks are reported on slightly faster when compared to 2022, however, victims’ own disclosures remain low.
  • Nearly half of all victims did not disclose any type of incident at all in 2023, representing a significant increase compared to just under a quarter of victims in 2022 not providing a disclosure.
  • Dark web leak sites continue to provide the fastest coverage of incidents following the initial attack, averaging 35 days, though even threat actors appear to be slower in claiming an attack.

These are some of the findings from our analysis of disclosure and messaging trends related to ransomware attacks. Continuing from last year’s research, we set out to compare how ransomware attacks were reported on publicly and how victim organisations chose to disclose attacks in 2023. We additionally analysed the changes in techniques used by ransomware actors, with vulnerability exploitation standing out.

Healthcare and education remain top targets for ransomware

Healthcare remains the most targeted sector, while education has overtaken government as the second-most targeted sector. Vice Society continued to focus its targeting on the education sector, however many attacks against the sector were also claimed by Lockbit in 2023. The continued targeting of these sectors suggests that ransomware groups continue to count on a lack of proper security measures in these industries, which make them an easy target. Unfortunately, such attacks can have major consequences, including downtime that could prevent patients from being seen, as well as high costs to often already underfunded organisations.

Ransomware disclosures still infrequent and vague

The speed at which ransomware attacks were publicly reported on in 2023 saw a slight increase when compared to 2022, averaging at a little over 41 days. However, public reporting still remains relatively slow, with fewer attacks reported on within the first week of an incident happening. When it comes to victim disclosures, even fewer organisations disclosed being a victim of a ransomware attack in 2023. The term ‘ransomware’ is also being used less frequently in disclosures, with many organisations continuing to use vague language to describe an attack, including ‘unauthorised access’ and ‘disruption’. While such vague disclosures may technically be correct, especially in cases where ransomware groups opt to focus on data theft rather than encryption, the potential wider impact of the incident is rarely communicated properly.

Vulnerability exploitation increasingly leveraged by ransomware actors

Threat actors continue to find new ways to apply pressure to victims, such as via triple extortion attacks, with the introduction of new vectors like direct threats to employees and customers of victim organisations, or the victim being targeted by follow-up distributed denial-of-service attacks.  

Initial access methods appear to also have changed. While regular phishing campaigns will continue to be used by some ransomware groups, others rely on initial access brokers, and some have instead moved onto vulnerability exploitation as their method of entry. Though the MOVEit Transfer flaw was initially exploited as a zero-day, this is not necessarily always the case, with many threat actors exploiting recently patched flaws, often relying on publicly available exploit code. With the extensive supply chain attacks we have observed throughout 2023, organisations need to keep up with changes to techniques and ensure they have an efficient patch prioritisation in place to reduce the wider risk of an attack, and ultimately the risk of supply chain compromise.

Legal action against ransomware increases globally

Despite there being a greater share of victims not disclosing incidents overall compared to 2022, more countries are introducing new reporting requirements of cyber incidents and are discussing whether to ban ransom payments entirely. Many countries are now also starting to commit to reporting requirements of cyberattacks. Obligatory reporting helps in holding victim organisations accountable for their security and potential errors, while ensuring that affected parties are informed quickly.  

While we have not seen a complete ban on ransom payments, the ongoing discussions on the topic may be the first steps in identifying how to disrupt the funding mechanisms of ransomware groups – and remove their financial incentive entirely. Continuous law enforcement efforts have also successfully taken down a number of prominent ransomware groups, including Lockbit, whose operation was disrupted on February 20th, 2024. Since then we have already seen a noticeable dent in the number of attacks in 2024.

Final thoughts

Given the continued lag of victim disclosures, with details of attacks still surfacing across various channels, access to both open-source media and deep and dark web data, coupled with appropriate analytics and reporting, is still one the most effective ways of receiving timely and actionable intelligence on ransomware attacks. The Silobreaker threat intelligence platform can help in boosting visibility into ransomware attacks, with organisations able to pivot between millions of open and deep and dark web sources and finished intelligence data, giving a holistic overview of the threat landscape. 

Read the full report here.