Median Ransomware Demands Grow to $600K a Pop – Source: www.darkreading.com

Source: les polders via Alamy Stock Photo

When it comes to ransomware attacks, median initial ransom demands for 2023 spiked 20% year-over-year to reach $600,000, with some sectors hit much worse than that: The legal, government, retail, and energy industries are now routinely seeing median demands of $1 million or more.

That’s according to Arctic Wolf, whose annual cybercrime report out this week shows that manufacturing-vertical victims showed up in 708 posts on various leak sites, making it the most represented industry — likely because production downtime is an existential threat to factories, making them a target that’s particularly ripe for extortion.

Business services was the next most commonly listed industry sector on ransomware gangs’ Dark Web sites with 450 instances, followed by education/nonprofit (321), and retail/wholesale (305).

LockBit Dominates Ransomware Activity

Meanwhile, the main groups carrying out the lion’s share of cyberattacks come down to three (LockBit 3.0, BlackCat/ALPHV, and Cl0p), even though there are dozens of smaller operators like Akira, Royal, and BlackBasta operating out there, too.

LockBit, which was disrupted this week by law enforcement, was far and away the most prevalent, accounting for 926 attacks in Arctic Wolf’s telemetry, more than double the 402 carried out by No. 2 BlackCat (which was disrupted in December), and 381 attacks claimed by Cl0p (subjected to Ukrainian police action in 2021).

Other researchers tracking the segment had similar findings.

“LockBit has a 25% share of the ransomware market,” says Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit. “Their nearest rival was BlackCat at around 8.5%, and after that it really starts to fragment. LockBit dwarfed all other groups and so [the takedown this week] is highly significant.”

He adds, “In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator. It approached ransomware as a global business opportunity and aligned its operations, accordingly, scaling through affiliates at a rate that simply dwarfed other operations.”