Image: The Record|

Ransomware predictions in 2023: more gov’t action and a pivot to data extortion

There were thousands of ransomware attacks in 2022, from breaches targeting militaries to incidents that brought entire governments to a standstill.

Ransomware giants like Conti closed shop, while groups like LockBit and Hive took their place, attacking thousands of hospitals, governments, businesses and schools across the world. 

So what does 2023 have in store for us? The Record surveyed analysts to get their sense of what's to come.

2023-01-2022_1209-Ransomware-Tracker-Most-Prolific-Ransomware-Groups-1-1024x607.jpeg

Emsisoft threat analyst Brett Callow told The Record that when it comes to ransomware, this year may largely be a repeat of what was seen in 2022.

But he noted that governments could continue to step up efforts to counter ransomware, as policies “shape the ransomware landscape as much as the cybercriminals do.”

“For example, state or country-level bans on the payment of ransoms may shift attacks to other jurisdictions. Offensive actions by a particular country may have a similar effect. And actions against larger ransomware-as-a-service operations may result in the proliferation of smaller, throwaway brands,” Callow said. 

“One thing that is certain is that the gangs will continue to experiment with new tactics. They’ll attempt to find new markets – we may already be seeing that with attacks on national governments – and they’ll test new strategies in an attempt to increase their conversion rates. Whether any of those strategies stick entirely depends on how companies respond to them. Remember that so-called ‘double extortion’ became a standard play only because companies decided to give in to it.”

Recorded Future ransomware expert Allan Liska echoed Callow’s assessment, noting that 2023 will likely see more governments increase their efforts to address the ransomware issue. 

Initiatives like the Ransomware Task Force and laws at the local level to prevent ransomware payments will continue to be pushed alongside mandatory reporting rules. 

“Governments are finally starting to take ransomware seriously (to be clear, there have always been pockets within governments that have taken ransomware seriously) and taking action to reduce payments and figure out ways to go after ransomware groups in ways that will disrupt their infrastructure and operations,” Liska said. 

(ISC)²’s Jon France warned that 2023 may see ransomware groups evolve further and attempt to monetize several aspects of an attack. France said groups will now demand a ransom for unlocking data – or a “return to business” – and expect another ransom for not going public with data theft. 

Because recovery protections continue to improve, ransomware groups will likely shift to pushing the reputational damage that comes from data theft and leakage, France said. 

He added that groups will lean more on attacking weak parts of a supply chain in an effort to harm better-protected entities and extract larger ransoms. 

Some experts expect tougher responses from law enforcement agencies, which have already increased attempts to disrupt ransomware groups. 

Deep Instinct’s Mark Vaitzman said several threat groups suffered from gang members' arrests around the world including Lockbit in Canada, Zeus in Geneva and REvil in Russia.

“These arrests will probably happen even more frequently in 2023 as threat actors pose a serious threat to financial security, national security and even human lives,” he said.

“The FBI and similar authorities are promising millions of dollars for information about these cybercriminals.” 

Vaitzman told The Record that the war in Ukraine is also having an impact on the ransomware ecosystem. 

Companies that fled Russia due to the sanctions have left programmers with fewer opportunities, and threat actors are actively recruiting new members with promises of riches. 

He noted that there are already signs that poorly-made ransomware – called “skidware” by experts – like Venus has originated from Russia.

“Hopefully, in 2023 the war will come to an end, and we may see more ransom attacks on private companies as a result,” he said. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.