Median Ransomware Demands Grow to $600K a Pop

The now-disrupted LockBit gang outpaced its competitors in volume in 2023, as ransom amounts spiked 20% year-over-year.

A pile of cash in different world currencies
Source: les polders via Alamy Stock Photo

When it comes to ransomware attacks, median initial ransom demands for 2023 spiked 20% year-over-year to reach $600,000, with some sectors hit much worse than that: The legal, government, retail, and energy industries are now routinely seeing median demands of $1 million or more.

That's according to Arctic Wolf, whose annual cybercrime report out this week shows that manufacturing-vertical victims showed up in 708 posts on various leak sites, making it the most represented industry — likely because production downtime is an existential threat to factories, making them a target that's particularly ripe for extortion.

Business services was the next most commonly listed industry sector on ransomware gangs' Dark Web sites with 450 instances, followed by education/nonprofit (321), and retail/wholesale (305).

LockBit Dominates Ransomware Activity

Meanwhile, the main groups carrying out the lion's share of cyberattacks come down to three (LockBit 3.0, BlackCat/ALPHV, and Cl0p), even though there are dozens of smaller operators like Akira, Royal, and BlackBasta operating out there, too.

LockBit, which was disrupted this week by law enforcement, was far and away the most prevalent, accounting for 926 attacks in Arctic Wolf's telemetry, more than double the 402 carried out by No. 2 BlackCat (which was disrupted in December), and 381 attacks claimed by Cl0p (subjected to Ukrainian police action in 2021).

Other researchers tracking the segment had similar findings.

"LockBit has a 25% share of the ransomware market," says Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit. "Their nearest rival was BlackCat at around 8.5%, and after that it really starts to fragment. LockBit dwarfed all other groups and so [the takedown this week] is highly significant."

He adds, "In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator. It approached ransomware as a global business opportunity and aligned its operations, accordingly, scaling through affiliates at a rate that simply dwarfed other operations."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights