Ransomware attacks have seen a steep increase this year, 13% more than in 2021, and they’re not expected to slow down anytime soon. With that in mind, let’s take a look at the top ransomware trends you should be keeping an eye on as we move into 2023. Here’s what you need to know about the current state of ransomware and how it’s working today, where it might be heading in the future, and mindset strategies you can adopt to improve your odds.

Download the Q1 2023 Ransomware Report >

The Current State of Ransomware

Is ransomware on the rise? According to IDC, 33% of organizations globally have been victims of ransomware. This trend is not slowing down going into 2023: ransomware groups are getting more sophisticated, and attacks are becoming more targeted.

Certain industries are particularly at risk, and critical infrastructure increasingly so. According to the Cybersecurity and Infrastructure Security Agency (CISA), government agencies “observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors,” including finance, education, energy, and more.

Ransomware groups typically extort money from their victims by encrypting their files and demanding a random, but there is a rising trend of them relying on additional methods to extract revenue. A new breed of vendor is popping up in cybercriminal forums: the initial access broker. These brokers sell initial access, i.e., access to a compromised machine on a particular network or within a particular organization, to ransomware groups. This spares the ransomware gangs from expending resources on initial access so they can then focus on lateral movement, the ransom itself, and negotiation. The number of listings for initial access offerings increased by 58% between 2021 and 2022.

Ransomware Groups and the Evolution of the Ransomware Market

Attack strategies have shifted from simply encrypting business data to placing additional focus on data exfiltration. There are a couple of common ways attackers can profit from this stolen data: Extortion, where an attacker says “I’ve stolen your customer list and exfiltrated it to my infrastructure. Pay me $200,000 or I will leak it.” The other way would be to sell your exfiltrated data directly, e.g., by placing a username and password dump for sale on a darknet forum.

Double-extortion attacks, in which threat actors both hold your data for ransom and threaten to publish it online, have become a big trend since their inception in 2019. Threat intelligence company Digital Shadows (now ReliaQuest) uncovered 11 new extortion groups focusing solely on data leaks in 2022. Blackbyte is also famous for their use of double extortion.

To avoid the spotlight, infamous ransomware groups (think rEvil, Conti, etc.) are simply changing their names. According to KrebsonSecurity, “Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.”

Just as the defensive cyber landscape is constantly evolving, so too is the offensive landscape. As we’re implementing more controls and additional detections, these ransomware groups are creating new toolkits to thwart defensive efforts.

Of course, new, less-experienced ransomware groups are popping up every day as well. Instead of being on the forefront, working at the cutting edge to keep up with or outsmart the defenders, these newer groups tend to rely on pre-made exploit kits and ransomware builders. There are a few ways they can acquire these tools—sometimes even from defenders who break into the larger ransomware gangs’ environments and leak their code in an attempt to undermine them. These lower-skilled groups can then use these tools to imitate their more-sophisticated counterparts.

Protect your organization’s web presence with ReliaQuest Digital Risk Protection >

Ransomware Defense Strategies for 2023

Recruitment for ransomware groups isn’t slowing down. In order to keep up with the evolving defense landscape, these groups are constantly hiring new developers and pen testers.

On the ransomware defense side, there are a few strategies that can help mitigate the risk associated with ransomware attacks.

Adopting a Mitigation Mindset

Always assume that a breach is possible, no matter your level of protection. One should always put effort into prevention, but attack detection and containment can be a more effective use of resources.

For this strategy, there are a number of tactics you should employ:

  • Think about every phase of the infection from the attack perspective. Thinking through the steps an attacker needs to take—recon, lateral movement, etc.—can help you cover all your bases.
  • Conduct regular tabletops with different parts of the organization. Simulating an attack can help expose vulnerabilities you might not have seen otherwise. Looping in teams or people who are familiar with a specific segment of the infrastructure but who otherwise don’t think from an adversarial standpoint can help uncover additional attack paths for mitigation. Consider the hidden “domain knowledge” their perspectives may bring.
  • Have a playbook for incidents and conduct regular exercises of them. Preparation is key. Regular exercises using live infrastructure will help ensure that your team is ready to react at a moment’s notice.
  • Understand your environmental baselines to quickly identify abnormalities. It’s critical to know what’s normal in your ecosystem so that anomalies are easier to spot. Measure beyond a list of hosts, have an understanding about what processes and destinations your hosts are running and reaching out to. The more specific inputs you can measure and have an acceptable baseline for, the better you can action on your telemetry.

Defense in Depth

To achieve defense in depth, you should have a layered defense strategy, including layered detection pipelines and security mechanisms or controls through the network.

Layered detection pipelines are the logical processes you have in place to collect, process, analyze, and react to events happening within your environment. It’s not just collecting logs—it’s about taking the “assume breach” mindset into account and considering the potential attack vectors in your own environment. That can help you prioritize which detection pipelines you need to focus on, for example:

  • Process logging
  • Network communication logging
  • Authentication logging

Next, let’s talk security controls. These are usually the tools or software you deploy in your environment. Active controls, like firewalls and email gateways, can help you mitigate risk within the environment. Other controls, like EDR, can serve your detection pipelines.

Finally, defense in depth also includes layered security design. When you’re introducing a new tool, consider how it affects the security posture of the organization as a whole. Introducing a new tool can introduce new attack paths into the network. There’s a possibility that the application itself contains vulnerabilities, or that the remote management capabilities provided by the vendor introduces a new attack path. Considerations should be made to account for these paths. Many security teams address this issue with a “zero trust” approach.

Investing in a Security Operations Platform

When defending against ransomware, visibility and flexibility are key. The ReliaQuest security operations platform, GreyMatter, empowers your security team during every stage of the ransomware lifecycle.

  • Stop initial entry. GreyMatter can automate the analysis of phishing incidents that make it past your email security gateway.
  • Stop the spread. GreyMatter ensures that your EDR tooling and threat intelligence capabilities are in sync and up to date. In addition, GreyMatter will assess the health of your EDR and determine which steps you should take to tune your content most effectively.
  • Automate response. Automation plays use root cause analysis of previous incidents to ensure that future attempts are automatically mitigated. It can automatically block malicious email domains, ban hashes, delete files, or quarantine hosts.
  • Continuous surveillance. ReliaQuest makes actively preventing, detecting, and analyzing ransomware simple by integrating and normalizing data from disparate technologies including SIEM, EDR, multi-cloud and point tools, on demand. It provides a unified view to immediately and comprehensively detect and respond to threats from across your environment.

Learn more about ReliaQuest GreyMatter for ransomware >


Ransomware has been around for a long time and continues to be one of the most popular forms of cyber attack—for good reason. It’s lucrative for the entire cybercrime supply chain, from the initial access brokers and exploit kit developers all the way to the ransomware actors themselves. In short, ransomware is much more than the final extortion. It’s an entire industry.

By keeping up with the latest trends, adopting a preventative mindset, and choosing the right security operations platform, you improve your ability to detect and respond to ransomware incidents before attackers gain a serious foothold.