The FBI’s annual summary of the previous year’s cybercrime activity shows just about everything trending in the wrong direction: incidents are up, costs and damages are up, and ransomware is returning to the heights it hit during the depths of the Covid-19 pandemic.
The number of total complaints set a record in 2023, fueled largely by a sharp spike in cryptocurrency fraud. And after something of a lull in 2022, the cost of ransomware attacks jumped 74%. The lone piece of good news on the ransomware front is that 2023’s cybercrime leaders, LockBit and ALPHV/BlackCat, were both recently crippled by law enforcement and believed to be on their way out of business.
Cybercrime losses from scams, business email compromise and ransomware at alarming levels
The total cost of cybercrime jumped to $12.5 billion in 2023, and the FBI logged a record 880,418 complaints (a 10% increase from the previous year). Two familiar culprits from recent years, investment scams and business email compromise, are driving much of this surge. But it is also being fed by ransomware attacks, which came close to doubling in total cost from 2022 to 2023.
While the ransomware attack count was up 18% from 2022, or a total of 2,825 recorded incidents, costs were up 74% (to $59.6 million). This suggests that ransomware gangs are still tending to hunt “big game,” an assumption supported by the fact that just under half of 2023’s incidents hit critical infrastructure companies. 14 of the 16 critical infrastructure industries designated by CISA experienced ransomware attacks last year. Healthcare facilities and services were most commonly targeted, followed by manufacturing and government facilities.
Collectively, LockBit and AlphV/BlackCat were credited with 275 of these attacks. The FBI has spearheaded international actions against both of these groups in recent months, seizing infrastructure and leaving them in such a diminished state that they are believed to be scattering. It is unclear who will emerge as the new cybercrime king, but the leading groups behind these two in 2023 were Akira, Royal and BlackBasta.
Darren Williams (CEO and Founder of BlackFog) notes that though ransomware is still a leading threat, it has become almost secondary to the process of data extortion to the point that some gangs have dropped the “ransomware” part of it entirely at this stage: “Extortion pays so it comes as little surprise that it continues to be one of the most used tactics for attackers. Many organizations make it easy for attackers to access and steal sensitive data by focusing on perimeter defense instead of watching the back door. Once a hacker infiltrates a device or network and data is exfiltrated, the extortion that follows can be endless for the victims. Anti data exfiltration technology ensures that even when attackers gain access, they are unable to leave with any data, ultimately putting an end to extortion.”
An important note that is always included with these annual reports is that these are only the “official” numbers. Total incident and damage counts are likely much higher given that a substantial amount of attacks, possibly even the large majority, go unreported. The heavy representation of critical infrastructure companies in this year’s ransomware report may reflect new reporting requirements put in place by the Biden administration specifically for those sectors.
Cybercrime categories focus on specific demographics
As ransomware gangs generally target large and well-funded companies expected to have lots of valuable and sensitive data to steal, other categories of cybercrime are tending to find success with specific demographics.
Elderly people have traditionally been a prime target for scammers, and this remains true with tech support and government impersonation scams, where more than half of victims are over the age of 55. And in total, the majority of the complaints to the FBI came from those over 60 years of age. But investment scammers are finding the most fertile ground among younger Gen X and older Millennial targets. The age 30 to 49 group is most heavily targeted by investment fraud schemes, which racked up $4.57 billion total losses (an increase of 38% from 2022). Most of this jump was driven by crypto fraud scams, which alone accounted for $3.94 billion of that total and jumped by 53% from the prior year.
Data on individual states tends to predictably track with population and presence of financial hubs; California, Texas, Florida and New York tend to lead the pack in terms of reported losses, impacted data subjects and total number of complaints. But some of the smallest state populations have the highest complaints per capita, with the District of Columbia experiencing the highest rates followed by Alaska, Nevada and Delaware. The District of Columbia also had the highest losses per capita.
The cost of cybercrime has been steadily growing year-over-year since 2019, when it was only at $3.5 billion. But the IC3’s Recovery Asset Team (RAT) has also been slowly growing its ability to freeze and recover stolen funds, putting the brakes on at least $100 million in theft in 2023 and having at least some success in clawing back funds in 71% of the cases it becomes involved with.
Kevin O’Connor, Head of Threat Research (and former NSA cybersecurity analyst) at Adlumin, points to several other pieces of information in the report that are of interest to the cybersecurity industry: “One of the most striking things from the FBI’s IC3 report is its data about ransomware. The report backs-up what we already knew anecdotally – that there was a huge spike in ransomware attacks over the past year. But it’s interesting to note how low the FBI data might actually be compared to reality. The report acknowledges this directly, saying that when the FBI infiltrated the Hive ransomware group, they found that only about 20% of victims had reported attacks to law enforcement. Since the FBI data is based on reported incidents, we know it won’t give a full picture. But when you compare it to the recent Chainalysis data that identified more than $1 billion in ransomware payments made through cryptocurrency exchanges last year, you see how low the FBI’s $60 million figure might actually be.”
“Another interesting observation is that healthcare was the sector most impacted by ransomware attackers, followed by critical manufacturing and then government. One reason for this could be the fact that – despite recent consolidation in the healthcare industry – there are still a lot of small and independent practices. When you think about any general practitioner, specialty physician or dentist office, for example, many of them are small and mid-sized businesses with limited resources. But the information they have to protect is much more valuable – and therefore, much more targeted by attackers – than most other ‘main street’ storefronts. The bottom line is, we need to do a better job helping these organizations protect the data they’re entrusted with,” added O’Connor.