blog

Ransomware Trends 2023: The Who, What, and Why

Published

Mar 30, 2023

Updated

Nov 20, 2025

Authors

Black Kite

See Black Kite in action

BOOK A DEMO

Identifying ransomware trends is like a game of Clue: The setting is often the same, but the suspects and murder weapons change. Instead of Colonel Mustard in the library with the wrench, the culprit is often an international ransomware group with malware.

But as ransomware (like a Clue murder weapon) changes, it’s important also to be aware of the changing players and their motivations. Knowing more about the threat landscape will better protect your organization from a late-night mystery incident, breach, or attack.

In this blog, we’ll crack the case for you by looking at the Who (top ransomware groups and actors), What (organizations and industries targeted), and Why (bad actors’ motivations) behind the biggest ransomware trends of 2023.

The “Who”: Top Ransomware Groups of 2023

In 2022, about 25% of cybersecurity attacks involved ransomware – and that number is only growing. Organizations and cybersecurity experts should closely monitor for updates on ransomware bad actors and groups to help guard against this growing attack type in 2023.

To face off with the top ransomware groups, organizations must understand what makes these groups so good at what they do. Cybersecurity specialists evaluating ransomware groups often look at data such as:

The number of successful attacks.
The sophistication of attacks.
Size of ransom collected from targets.

Experts also consider a threat actor’s background details (like the attacker’s country of origin and previous attack history) to piece together context around bad actors’ motivations, especially when filtered through current events.

All this information helps security teams identify the patterns and common signs that an attack is imminent – it helps them figure out the “Who” in the cybersecurity game of Clue.

Top 5 Ransomware Groups in 2023 (So Far)

When starting from square one, it can be challenging to know which ransomware groups to check up on – or even which ones are out there.

To help jumpstart your teams’ cybersecurity sleuthing, here’s a cheat sheet on the top five ransomware groups dominating today’s threat landscape:

The LockBit Group: A ransomware gang widely considered the most prolific in the world. Last year, LockBit was responsible for over 30% of ransomware attacks. This group also provides ransomware as a service (RaaS), a cybercrime model that sells or rents out ransomware software to affiliates.
Since January 2023, LockBit has attacked Royal Mail, the British postal service and courier company, and demanded a ransom of $79.85 million to return the company’s stolen data. Our research also shows that LockBit was allegedly able to breach a third party connected to SpaceX and subsequently seize 3,000 drawings and schematics by the aerospace company’s engineers.
C|0P (Clop) Ransomware: In operation since 2019, this group began with brute-force tactics on Remote Desktop Protocol (RDP) endpoints. Clop’s attacks are evolving and show increasing sophistication, like double-extortion tactics. The group is also targeting larger organizations. Recently, Clop claimed to attack and steal data from over 130 organizations by exploiting a zero-day vulnerability in GoAnywhere MFT’s secure file transfer tool.
ALPHV (BlackCat): Although it’s only been active since 2021, this newer ransomware group is seen as “exceptionally capable” by the U.S. Department of Health & Human Services. ALPHV uses Rust to program its ransomware, which makes it highly customizable and adaptable. This group is responsible for many of the fuel logistics and transportation services attacks in Europe and responsible for 13% of all ransomware attacks that have occurred so far in 2023.
Royal Ransomware: Everybody knows Conti, a notorious (but now defunct) ransomware group. Some security experts believe Royal’s group members were part of the now-disbanded group.
Active since 2022, Royal Ransomware created a custom-made file encryption program that disables antivirus software, steals large amounts of data, and encrypts the systems to prevent retrieval. The group is dedicated to quickly producing variants and is known to rapidly adopt and implement newer techniques.
AvosLocker: Active since 2021, the AvosLocker ransomware group has been making a name for itself by targeting critical infrastructure sectors in the U.S., and other organizations worldwide. This group functions primarily through RaaS and is actively recruiting ransomware affiliates. Recent victims include California Northstate University in 2022: The group stole employee and student admissions data and leaked that year’s W-2 statements for the university’s president.

Ransomware as a Service (RaaS) — Operators and Affiliates

What exactly is RaaS, and what does it have to do with the current threat landscape?

Ransomware attacks are growing more sophisticated. The rise of RaaS is a significant factor. Ransomware as a Service functions like software as a service (SaaS), providing a complete ransomware product (often with support) for the user and making the launch of devastating attacks a lot more accessible to bad actors without tech backgrounds.

Here’s what the rise of RaaS tells us:

When thinking about ransomware actor profiles, coding is no longer a prerequisite.
The threat landscape is a lot wider. Anyone looking to target an organization can do so, regardless of their hacking abilities.
Attacks will grow more targeted as actors tailor RaaS to exploit an organization’s weaknesses.

The “What”: Targeted Industries and Organizations

As top ransomware groups change yearly, so do the targeted industries and organizations. That’s the “What” of our game of ransomware Clue — currently targeted organizations and industries.

Why do ransomware targets shift? The reason depends on various factors, including:

Political Events: Wars, conflicts, and sanctions can significantly impact what companies and industries ransomware gangs are keen to target. For example, the Russian-Ukrainian War dramatically shifted Russian-based hacking groups’ focus to Ukrainian and Polish transportation and logistics organizations.
Health Crises: Global events, like health crises, can also motivate ransomware gangs to shift their sights. Ransomware attacks grew exponentially during the pandemic as threat actors capitalized on weak security controls in a largely remote workforce. They also targeted healthcare systems experiencing significant strain during COVID-19, leaving their cybersecurity programs vulnerable to exploits.
While some ransomware groups denied attacking healthcare organizations during the pandemic, even the Champaign-Urbana Public Health District and World Health Organization experienced malicious threats.

Targeted Industries in 2023

As the world re-adjusts to post-pandemic (or at least pandemic-adaptive) life, so are ransomware gangs re-adjusting their pursuits to suit their current goals and needs. Whether it be for personal or political reasons, here are the industries that bad actors have set their sights on for 2023:

Manufacturing: Black Kite research identifies the manufacturing industry as the focus of most ransomware attacks this year. In fact, 30% of ransomware attacks detected in 2023 have already targeted the manufacturing sector.
Why? Ransomware threat actors know that manufacturing organizations have a low tolerance for downtime, so they’re more likely to pay a ransom than suffer the effects of business disruption (such as loss of revenue, decreased productivity, etc.). They also know hitting manufacturers in their supply chains can cause lasting damage, making manufacturing organizations even juicer targets for bad actor hopefuls.
Much of the manufacturing industry relies heavily on Operational Technology (OT). OT systems are difficult to patch, meaning ransomware threat actors can easily exploit vulnerabilities with older variants.
IT/Tech: Between 2021 and 2022, 61% of organizations in the IT/tech sector dealt with ransomware attacks. The role of tech has grown exponentially over the past decade, so ransomware actors are looking to cast a broader net by targeting the industry.
Why? Because it’s the easiest way to kill two birds with one stone. Most tech products and services are distributed through digital networks, which means that a successful attack’s effects can cascade to other customers within the network.
Healthcare: 66% of healthcare organizations reported a ransomware attack last year. In fact, the healthcare industry ranks as the most common victim in our 2023 Third-Party Breach Report. With treasure troves of sensitive PHI and financial data, healthcare organizations are prime targets for ransomware gangs looking to cash in big.
Similarly to the manufacturing industry, healthcare systems have zero tolerance for downtime. That’s because when business disruption is on the line, so are patients’ lives. Ransomware actors exploit this inherent vulnerability, and they do it creatively.
The proliferation of sophisticated medical devices and mobile health apps has created additional endpoints for ransomware actors to hit the healthcare sector where it hurts: Patient health.

The “Why”: What’s Motivating Ransomware Groups in 2023?

One way to safeguard your organization from ransomware gang attacks is to hone in on ransomware gang motivation. Identifying the “why” behind what ransomware threat actors do makes it easier to connect the dots and determine what data, assets, or vulnerabilities in your systems are most enticing.

Here are some of the top reasons why ransomware gangs do what they do:

It’s Still About the Money

Even as ransomware attacks rise, overall ransomware payments are down. In 2022, ransomware groups took in a total of $457 million. In 2021, however, that figure was almost twice as high at $766 million. Security specialists believe the downturn in collecting cash is due to a growing number of victims refusing to pay up. That means ransomware groups are likelier to go after targets that will give them a lot of bang for their buck.

On the other hand, ransomware attacks are also under-documented. According to the Senate Homeland Security committee, 75% of ransomware attacks go unreported. Why? Usually, it’s due to companies looking to preserve their reputation, preferring to simply pay the ransomware group, reclaim their data, and move on. This willingness to pay the ransom and avoid reporting means that individual ransomware payouts are likely much higher. In fact, in the final quarter of 2022, the average ransomware payment was 58% higher than the previous quarter.

Remember, ransomware gangs aren’t just a random assortment of people in hoodies at computers. They’re sophisticated crime syndicates that operate like an (illegal) business. That means they have typical business concerns, like streamlining workflows, staying within budget, and acquiring profit.

Revenge Ransomware

It pays to be petty. With the rise of RaaS, the technical expertise required to code and implement ransomware is a thing of the past. That means any spurned lovers (or more likely, rivals and users) can harness the power of ransomware to mend their betrayed hearts.

Before, revenge ransomware usually occurred when ransomware groups found themselves attacked by a victim with the skills to do some hacking of their own. Now, organizations are wreaking havoc on their competitors. Today, any individual that feels slighted by a company can access the best ransomware in the world (along with the support to successfully implement it) as long as they’re willing to pay a fee.

Of Course, It’s Political

When it comes to ransomware, it’s almost impossible to avoid some political motivations. That’s especially true during times of war (like with Russia-Ukraine) or geopolitical tension (China-Taiwan, North Korea, etc.).

For a few years, security specialists have been tracking the evolution of ransomware and hacktivism — or digital attacks done for political activism. Hacktivism events have increased in frequency, and they don’t always deal with money. For example, in 2022 a Belarusian ransomware attack on the country’s railway service demanded the release of 50 political prisoners instead of the standard ransom.

With growing attacks in the U.S. public sector, more politically motivated ransomware attacks in the Russian-Ukraine War, and increased hacktivism from developing global conflicts, this trend will likely continue into 2023 and beyond.

With Ransomware, It’s an Ongoing Investigation

Definitively predicting the ins and outs of what ransomware groups will do next is anyone’s guess. Most cybersecurity experts agree on this theme: Organizations must be vigilant. The ubiquity of ransomware puts virtually all organizations — and as a result, their digital supply chains — at risk, regardless of industry.

That’s why leveraging tools like Black Kite’s Ransomware Susceptibility Index (RSI™) is critical. You’ll get information on third-party vendor risk, ransomware susceptibility of your vendors, and remediation insights to help boost your organization’s cyber defense — and catch the culprits before they commit the crime.