How many ransomware attacks were there in 2023?

According to data scraped from data leak sites, there were ~4399 (sites go up an down, scrapers break, etc, so this number is always an estimate). In all of 2022 there were 2581 victims posted to data leak sites. That is a 70% increase between 2022 to 2023.

The problem is, almost all reporting on ransomware attacks relies on data from ransomware actors. Some companies, like Coveware, will publish regular reports based on numbers from cases they’ve worked and most incident response companies can provide trending data based on what they’ve seen, but they can’t share too much information because of client NDAs and other agreements.

Even governments which require reporting from specific sectors generally don’t share that information publicly (with some exceptions) even through it would be incredibly useful for researchers and the general public.

At the upper bounds of ransomware attacks, this situation could be changing with the new SEC breach disclosure rules. But, most ransomware attacks are not against publicly traded companies in the United States (we think). And, of course, we have to be careful that breach disclosure rules cannot easily be weaponized by the cybercriminals.

Why is it a bad idea to trust cybercriminals for breach reporting? The obvious answer is that ransomware groups are liars. But, specifically, researcher Valéry Rieß-Marchive has documented numerous cases of ransomware groups double-posting victims or just making up victims in an effort to “pad their numbers.”

We consistently see underreporting of victims from ransomware groups. Some of that comes from the estimated 25-30% of victims who pay the ransom, but there are a host of reasons that a victim may not appear on data leak site. One of the most common, possibly more common than the victim paying the ransom, is that the affiliate just grabbed useless or no data from victim during the exfiltration stage. Ransomware groups are often loathe to post data that they deem invaluable or impactful and data exfiltrations fail for a variety of reasons.

That’s why when ransomware groups are taken down, we often find that as many as 80% victims never made it to the extortion site (for example, the Hive takedown).

So, what can we do? The easiest solution is for governments that require reporting to start making that data more available. Of course, doing so will require more streamlined reporting, something the government (in the US) is actively working on, but is definitely not there yet. We also have to find ways for organizations to more easily share data so that we all understand what the situation looks like, again without running afoul of NDA or other confidentially agreements.

Unfortunately, until then, we are stuck with the same problem: Relying on criminals to provide us with numbers that we know are incomplete and inaccurate.