In the early 2020s, ransomware raced upward quarter after quarter, with seemingly no end in sight. But its rush to ascendence was so rapid that it caught the attention of law enforcement, governments and cybersecurity staff, who began working overtime to raise awareness and prevent attacks, and to more quickly catch attackers and bring them to justice when they did occur.

When high-profile cybercriminal arrests occur, it’s often said that one bust is unlikely to move the needle when it comes to cybercrime. But what about dozens? We’re halfway into 2023, and it looks like out of these busts, general network hardening and a growing emphasis on resiliency, something seems to be having an effect.

According to exclusive threat data published in the 2023 SonicWall Cyber Threat Report Mid-Year Update, ransomware fell a staggering 41% in the six months between New Year’s Day and the 30^th of June, with every region seeing a decline. Combined with 2022 data, which shows volume falling in every quarter save Q4, lower ransomware volumes have gone from being an anomaly or part of the background ebb-and-flow to bona fide trend. But why?

We’re All Just Looking for Security. (Even Cybercriminals.)

It’s already becoming harder to believe, but there was a time when cybercriminals aspired to be household names. Ransomware groups attempted to trade on their reputation to more reliably collect huge sums of money, but in the age of greater scrutiny, notoriety has become a liability.

To be clear, ransomware isn’t going away—threat trends are cyclical, and despite being despicable, crime still pays. But based on our data, cybercriminals in 2023 seem to be favoring a much greater degree of subtlety, slinking back into the shadows to conduct their craft in secret. When the question changes from “How can we make the most money possible” to “How can we best make money without getting caught,” the answer changes, too—and so far this year, that answer has been encrypted threats, IoT malware and cryptojacking.

Attacks over HTTPs rose 22% in the first half of 2023, enough to give SonicWall the highest year to date volume of any year since SonicWall began tracking this threat type. And IoT malware jumped to 77.9 million, up 37% over this time in 2022 and higher than any other six-month period on record. But it was cryptojacking that saw the most growth.

Cryptojacking’s Climb Accelerates

Until 2022, cryptojacking hits had never surpassed the 100 million mark during any year. But the full-year total for 2022 reached 139.3 million, a record high.

In 2023, cryptojacking had surpassed even that high water mark by early April … and then continued to grow. In all, cryptojacking volume in the first half of 2023 reached 332.3 million, an increase of 399% year-to-date.

Four months out of six set new monthly volume records, and the amount of cryptojacking seen in May 2023—77.6 million hits—eclipsed the full year totals recorded in 2018 and 2019, and easily surpassed total mid-year volume for 2020, 2021 and 2022.

Who’s Being Targeted?

In short, everyone: Every region saw an increase in cryptojacking compared with the first half of 2022. With the exception of Asia, which saw just 1% more cryptojacking year-to-date, these spikes were substantial. Latin America recorded 32% more cryptojacking than in the first half of 2022, but even this was small compared with the 345% increase observed in North America. Worse, Europe saw a staggering 788% spike.

A country-by-country look also shows massive increases. The U.S. saw 340% more cryptojacking hits than in the first six months of 2022. And in Europe, Germany and the U.K. recorded increases of 139% and 479% respectively. India provided a rare counterexample—cryptojacking hits there actually fell 73% year to date.

Cryptojacking by Industry

Unfortunately, a look at cryptojacking by industry shows no such bright spots. In all the industries we studied in depth, cryptojacking was up—and not just a little bit.

To be clear, cryptojacking numbers were quite small leading up to 2023—and any time you’re dealing with fairly small numbers growing very quickly, percentage increases become a less useful way to look at this change than factor increases.

In the first six months of 2023, the number of cryptojacking hits on retail customers more than doubled, with the average percentage of customers targeted each month rising from .06% to .3%.

Finance customers saw 4.7 times the number of cryptojacking hits, with percentage targeted on a monthly basis increasing from .05% to .36%.

Those working in healthcare recorded 69 times the number of hits than in the first half of 2022, with the percentage of customers targeted spiking from .06% to .32%.

Our government customers were targeted by 89 times the amount of cryptojacking compared with this time last year—with average percentage of customers seeing an attack each month jumping from .17% to .37%.

But education customers recorded the biggest increase: Cryptojacking on education customers skyrocketed to a staggering 320 times the number of attacks recorded in the first half of 2022, with the percentage of customers being targeted monthly averaging .19% last year and .55% this year.

Where Will Cryptojacking Go from Here?

While any prediction is an imprecise science, based on historical data alone, we can expect cryptojacking to continue to rise as 2023 wears on. But even if it doesn’t, cryptojacking volumes for 2023 still stand an excellent chance of surpassing the combined volumes of every year before it, all the way back to 2018 when SonicWall began tracking this threat type.

Regardless of what happens, SonicWall will continue to closely monitor cryptojacking levels—and with the threat of cryptojacking on the rise, expect expanded coverage of this attack type when our next Cyber Threat Report is released at the beginning of 2024.

Until then, you can learn more about cryptojacking, ransomware and other threats—along with which locations and industries are being targeted—in the Mid-Year Update to the 2023 SonicWall Cyber Threat Report.