Lessons Learned from 2023’s Biggest Ransomware Attacks

December 28, 2023  6 Min Read
By: Calamu

As 2023 winds to a close, the cyber world reels from another year of record breaking attacks. Globally, ransomware attack frequency is up 95% over 2022 and the number of victims exposed on leak sites rose to over 4,000.1 The average ransom in 2023 doubled from 2022 figures to a whopping $1.54 million.2

While these statistics may be alarming, there exists a silver lining. Studying the biggest attacks of the year gives us important insights into how attacks are changing and what defenses we need. Equipped with this understanding, the cybersecurity world is actively reforming its stance on ransomware readiness by bolstering detection mechanisms, introducing innovative tools such as self-healing capabilities, and enhancing secure storage methods to safeguard the ultimate target of every attack: the data.

Let’s examine the largest attacks of the year and the lessons gleaned from them.


Biggest Attacks of 2023

  • City of Dallas: In May 2023, the Royal ransomware group claimed to have encrypted the city’s critical data and threatened to leak sensitive information, impacting the lives of over 26,000 residents. The attackers gained entry by exploiting vulnerabilities in connected devices and through phishing emails. Financial damages: $8.6 million. 

  • MOVEit: In May 2023, Clop ransomware group exploited a zero-day vulnerability in third-party file transfer software, MOVEit Transfer, owned by Progress Software with the goal of stealing PII (personally identifiable information). MOVEit is used by thousands of organizations around the world and the attack is considered one of the largest hacks of the year, if not ever. Financial damages: $11 billion.  

  • MGM: In Sept 2023 ransomware-as-a-service group ALPHV, also known as BlackCat, orchestrated a large-scale attack on MGM Resorts using simple social engineering exploits. The attack impacted guest room access, amenities, parking systems, ATMS and casino games. MGM was forced to take the systems offline to contain the threat. Financial damages: $100 million.

  • Johnson Controls: In Sept 2023, industrial manufacturing giant, Johnson Controls, suffered a ransomware attack in which over 27 TB of corporate data was stolen from the company’s VMWare ESXi servers. Ransom demanded: $51 million.

  • Minneapolis Public Schools: In March 2023, ransomware group, Medusa, successfully exfiltrated and eventually leaked over 300,000 files exposing highly sensitive student information. Unlike other high profile attacks, this one gained notoriety not for the financial costs but for the nature of the leaked information.

  • 2023 saw attacks on some of the nation’s largest healthcare providers including Prospect Medical Holdings, HCA Healthcare, Managed Care of North America Dental, and many others. These attacks caused chaos as many were forced to take their IT services offline. Others could not recover and eventually closed their doors due to the attack. Some estimates show that ransomware attacks have even increased in-hospital patient mortality by 35%


Lessons Learned From 2023 Ransomware Attacks


Data Exfiltration: The Common Denominator

Data remains at the center of every ransomware attack. Successfully exfiltrating data gives attackers the leverage to not just demand high ransom payments but also launch the victim and all of its associates (customers, partners, students, parents, patients) into chaos. The biggest lesson from the year’s most impactful attacks is that the overwhelming goal of most ransomware attacks is stolen data.  

Today’s organizations must find better ways to secure data against exfiltration in order to remove this powerful weapon from the ransomware arsenal.  Stopping data theft requires more than simply securing the perimeter against intrusion. To truly remove the threat of data exfiltration, organizations will need to prepare for how to protect data once existing defenses have failed. Reworking how unstructured data is stored is one of the best emerging solutions to address this problem.

The AI-Generation of Ransomware is Here

As the rate of successful attack climbs, one thing is certain: attacks powered by generative-AI are here. Artificial intelligence provides hackers with creative new attack vectors. From improved phishing success rates to automated code creation, AI has helped increase the scale and frequency of successful attacks while more sophisticated attack vectors like data mining, deep fakes, keystroke monitoring and others provide tools for targeted attacks. Securing against ransomware looks different than it did a few years ago, and the approach to security needs to evolve along with them with better security at the data level. As AI-powered attacks evolve, human verification is becoming increasingly critical.  Learn how CAPTCHA defends against threat intrusion. 


Ransomware Solutions for 2024 and Beyond

Cyber-Vaulting: Stopping ransomware starts with better solutions to securing backups against unauthorized access and theft. Cyber-vaulting is a growing trend for isolating data in a secure, tamper-proof environment.  Building off the concepts of RAID and air-gapping, modern cyber-vault solutions leverage the scale and accessibility provided by the cloud but with more advanced zero-trust architectures.  

Self-Healing: Eliminating downtime during and after a breach is the ultimate goal for ransomware recovery. Emerging security technologies are seeking new ways to automatically self-heal infected data to aid in recovery efforts and stay operational.

Improved Detection and Attack Blocking: 2023’s largest attacks showed that there is still room for improvement when it comes to attack detection. Detection times need to increase as well as the ability to automatically quarantine threats. Thankfully the same generative AI tools that help create new malware strains can also help detect and block against them. Security systems that protect data in the face of ransomware are critical to stopping tomorrow’s threats.


Absorb a Ransomware Attack with a Data Harbor

The Data Harbor is a powerful software-defined solution that solves for data theft and automatically self-heals from an attack in real time. The Data Harbor eliminates the single-point-of-failure common to all data exfiltration attacks with a multi-cloud architecture that ensures data remains inaccessible to hackers even if stolen. Built from the belief that a ransomware attack is a matter of when, not if, the Data Harbor was purpose-built to withstand the attacks of today and the ones we’re facing tomorrow.



Learn more about how a Data Harbor absorbs a ransomware attack with self-healing data.  


Other resources: 1Dark Reading | 2Varonis


See Calamu in Action.