Ransomware saw a resurgence in 2023, Mandiant reports

The cybersecurity firm said it saw an increase in activity from ransomware gangs last year after a “slight dip” in activity in 2022.
(Getty Images)

As law enforcement agencies conduct global operations against ransomware gangs, the number of incidents continue to rise unabated, per a new report from the cybersecurity firm Mandiant.

Researchers with the Google-owned firm said on Monday that they saw 50 new ransomware variants in 2023, with about a third branching off of existing malware. The report highlights the pervasiveness of the problem and the difficulties in slowing down cyber extortion. Even with the attention of the White House, a call-out in the national cybersecurity plan and increasingly aggressive law enforcement operations against them, cybercriminals made more than $1 billion from victim ransom payments last year.

Hospitals and the health care sector in particular have seen networks decimated, the report noted. Ascension, one of the nation’s largest health care systems, with 140 hospitals across 19 states, was impacted last month by the Black Basta ransomware variant, and the ongoing outage may be putting lives at risk.

Mandiant’s findings mirror a recent White House report on the nation’s cybersecurity posture, which also noted the apparent rise of ransomware attacks. One issue, however, is that the reporting of ransomware attacks is largely voluntary, so assessments of the prevalence of ransomware typically depend on the narrow view of cybersecurity companies, whose understanding of the phenomenon depends on their customer base and cybercriminal communities to which they have access.


The Cybersecurity and Infrastructure Security Agency is finalizing a reporting mandate that would require a large portion of the nation’s critical infrastructure owners and operators to notify the agency of ransomware payments within 24 hours.

Mandiant’s assessment of the rise in ransomware attacks is based in part on a 75% year-over-year  increase in the number of posts on data leak sites, which extortionists use to publicly pressure companies to pay ransom.

Mandiant, which said 2023 saw the highest number of data-leak site posts since tracking began in 2020, also recorded a 20% increase in investigations that the cyber firm leads. ALPHV and LOCKBIT were the most prolific variants that Mandiant saw last year, with each making up 17% of all activity.

The surge in ransomware attacks in 2023 followed “a slight dip” in extortion activities during the prior year, the report noted. Mandiant researchers theorized that 2022 could be an “anomaly” due to external factors such as the Russian invasion of Ukraine or the leaked Conti chats.

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com

Latest Podcasts