Despite law enforcement actions, fourth-quarter 2023 ransomware incidents still surpassed 2022 by nearly 70 percent, and the number of active ransomware groups grew by 34 percent.

Corvus Insurance recently released its Q4 2023 Ransomware Report, featuring data collected from ransomware leak sites. The report shows ransomware activity for the year surpassed 2022 totals by 68 percent, with a record-setting 4,496 total leak site victims, compared to 2,670 in 2022 and 3,048 in 2021.

Ransomware attacks increased each of the first three quarters of 2023 and then declined slightly in Q4. International law enforcement activity in Q4 disrupted the ransomware ecosystem, including taking down ALPHV/BlackCat, one of the most prolific ransomware gangs, and eliminating Qakbot, a pervasive family of malware used to gain access to victims’ networks.

As a result, Q4 attacks dropped by 7 percent from Q3. Despite this sequential quarterly drop, Q4 2023 activity was still up year over year, and Qakbot still accounted for 31 percent of the total ransomware volume for the quarter. In Qakbot’s absence, there was a noticeable shift to other malware strains such as “Pikabot” and “DarkGate.”

In Q3, the ALPHV/BlackCat ransomware group accounted for nearly a quarter of all victims in the legal industry (23.5 percent). This number declined by 8.8 percent in Q4, likely due to law enforcement disruption in December.

The transportation, logistics and storage industry experienced consistent increases throughout 2023. Lockbit 3.0 accounted for 22 percent of victims, while ALPHV/BlackCat comprised 16 percent. The industry is sensitive to business interruption and presents attractive targets to threat actors looking for high-pressure victims.

Active ransomware groups increased by 34 percent between Q1 and Q4 2023 as well-known ransomware groups fractured and leaked proprietary encryptors on the dark web. Members of larger defunct groups began forming splinter groups, and leaks spawned new ransomware operations.

“Throughout 2024, we will undoubtedly witness much of the same activity, as criminals continue to attack, shift, re-brand, and strike again,” said Jason Rebholz, CISO, Corvus Insurance. “Businesses should remain prepared with enhanced security controls and cyber insurance policies to help minimize risk.”

Corvus Insurance, now a wholly owned subsidiary of The Travelers Companies Inc., is headquartered in Boston, Mass. Corvus provides specialty insurance products enabled by data science, including Smart Cyber Insurance and Smart Tech E+O, among other products and digital tools.