Victims of Ransomware Attacks in 2023 Increased 71% Over 2022 Levels


May 23, 2024

World map

New research indicates that the number of ransomware attack victims increased by 71% in 2023, driven by a 30% increase in the number of identified ransomware operators from 2022 levels.

"In 2023, every third incident (33.3%) was related to ransomware, which remained the primary threat to all organizations, whatever sector of economy or industry they belonged to. Another important trend observed in 2023: attacks via contractors and service providers, including IT services, became one of the top three attack vectors for the first time,” the report notes.

“This approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered. If speaking about ransomware, trusted relationship attacks were among four of the main initial infection vectors. Another three were: compromise of internet-facing applications, which accounted for 50% of all ransomware attacks; compromised credentials (40%), of which 15% were obtained as a result of brute force attacks; and phishing.”

Takeaway: Ransomware attacks pose a significant threat to organizations of all sizes and industries. By fostering a culture of cybersecurity, investing in the right technologies and personnel, and developing comprehensive incident response and business continuity plans, organizations can minimize the impact of ransomware attacks and maintain a strong security posture.  

As well, in understanding and addressing the unique challenges that ransomware presents, stakeholders can work together to protect their organizations and maintain the trust of their customers and employees.  

Financial losses, operational disruptions, data exfiltration, reputational damage, legal consequences, and the evolving threat landscape are all factors that demand attention.  

To protect your business, invest in robust cybersecurity measures, engage in ongoing employee training, and cultivate a culture of cybersecurity awareness. Collaborate with legal counsel to navigate the legal and regulatory landscape and develop a crisis communication plan to address reputational damage.    

Achieving cyber resilience requires more than just robust cybersecurity measures; it demands a comprehensive understanding of an organization's preparedness to withstand and rebound from cyber incidents. Central to this endeavor is the strategic selection and diligent monitoring of key performance indicators (KPIs) and metrics tailored to assess cyber resilience effectively.  

Here are some of the essential metrics that can assist in bolstering cyber resilience:

Mean Time to Detect (MTTD): This measures how long it takes for an organization to detect a cyber threat or incident. A lower MTTD indicates better detection capabilities. MTTD is a key indicator that can be used to determine whether an organization is properly prepared to respond to threats in a timely manner. Lowering the MTTD can help contain the lateral movement within an organization and is an effective way to reduce the potential impact spread in a breach.  

Mean Time to Respond (MTTR): This measures how long it takes for an organization to respond to a cyber threat or incident once it has been detected. A lower MTTR indicates faster response capabilities. Once an incident has been detected how quickly is an organization able to respond to the event, in order to effectively lower this metric, consider the outcomes of tabletop exercises and implementation of lesson learned during incidents that should provide indications of area for improvement in the response.  

Incident Response Plan Effectiveness: Assess the effectiveness of the incident response plan by measuring how well it is followed during a cyber incident, including factors like containment time, communication effectiveness, and coordination among response teams. In order to have an effective cyber resilience strategy it is key that an organizations response plans are effective and followed, if the plan is not being followed it can lead to an increase in the time required to respond and effectively mitigate the issue. Evaluate whether the plan needs to be changed to address changes in the threat landscape, risk themselves, or the organization response.  

Cybersecurity Training and Awareness: Measure the effectiveness of cybersecurity training programs by tracking metrics such as employee awareness levels, completion rates of training modules, and performance in simulated phishing exercises. At the end of the day cyber incidents often have at least some if not a major human component. Evaluate the effectiveness of the training you are providing and the way it is provided. Often organizations provide a “one size fits all” approach to cyber training and awareness, this unfortunately misses the mark, a successful approach for a developer will not address the same needs for the CFO.  

Cybersecurity Hygiene: Track metrics related to cybersecurity hygiene practices, such as the frequency of system patching, vulnerability scanning results, and compliance with security policies and standards. Hygiene should be table stakes for any organization trying to increase their cyber resilience, however this is often not the case. Create a prioritized approach to address the hygiene issue. Avoid the pitfall of chasing the next new cyber solution until you have a successful approach to address your organization's cyber hygiene.  

Cyber Risk Exposure: Quantify cyber risk exposure by assessing the organization's risk posture based on factors such as asset criticality, vulnerability severity, and threat likelihood. If you don’t have a valid way to measure your exposure, then you have little ability to identify where to prioritize your resources and increase your resilience.  

Third-Party Risk Management: Track metrics related to third-party cyber risk, including the number of third-party assessments conducted, the level of compliance with security requirements, and any incidents or breaches involving third-party vendors. In today's interconnected world it's impossible to have any perspective on the resilience of your organization if you can understand the risk that your third-party relationships and connections are introducing into the ecosystem you operate in.  

Security Controls Effectiveness: Assess the effectiveness of security controls by monitoring metrics such as intrusion detection/prevention system (IDS/IPS) alerts, firewall rule effectiveness, and malware detection rates. Are your controls effective? Should you be investing in other areas with potentially better ROI? Measuring whether you have implemented the right controls and are delivering the right results is important to consider.  

Backup and Recovery Metrics: Measure the effectiveness of backup and recovery processes by assessing metrics such as backup success rates, recovery time objectives (RTO), and recovery point objectives (RPO). In an incident, can you get the data back? How long will recovery take? Does it match the desired recovery window? This should be tested and confirmed that the expectation meets real world results.  

Business Continuity and Disaster Recovery (BCDR) Metrics: Measure the organization's ability to maintain operations during and after a cyber incident by tracking metrics such as recovery time objectives (RTOs), recovery point objectives (RPOs), and the success rate of BCDR exercises.  

Effective cyber resilience requires a holistic approach that incorporates proactive measures, rapid detection, efficient response, and robust recovery mechanisms. By monitoring and optimizing these key metrics, organizations can enhance their ability to withstand and recover from cyber threats, safeguarding their operations and maintaining business continuity.

Lastly, think about how often the plan is tested and confirm disaster recovery planning. Sometime this is outside of cyber, but it's important to confirm that your plans can be implemented in a true DR scenario and services remain available.

Halcyon recently published a reference guide that explores what each C-level executive should know about ransomware to ensure a strong security posture and protect their organization: What Executives Should Know about Ransomware. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.