2023 was a big year for ransomware groups, even as law enforcement around the world continued to crack down on attackers.

Palo Alto Networks’ Unit 42, the threat intelligence firm, found a 49 percent bump in victims reported by ransomware leak sites, totaling nearly 4,000 posts to those sites from different ransomware groups. Unit 42 said the uptick was due to the massive impact of attacks that exploited zero-day vulnerabilities, which are security flaws that developers have yet to identify. They pointed to the MOVEit Transfer software hack that the US government has connected to the CL0P Ransomware Gang, as one example. The Cybersecurity and Infrastructure Security Agency estimated that hack compromised more than 3,000 US-based organizations and 8,000 globally.

Nearly half of ransomware victims identified by Unit 42 were in the US, with the most impacted industries being manufacturing, professional and legal services, and high tech.

Unit 42 identified 25 new leak sites last year that offered ransomware as a service. But it said at least five seem to have shut down, since they had no new posts in the second half of the year. The roughly two dozen new sites accounted for 25 percent of total ransomware posts in 2023, Unit 42 said.

Still, the prominence of some ransomware groups also attracted law enforcement attention that was successful in several cases, Unit 42 said. The group praised law enforcement’s role in disrupting groups like Hive and Ragnar Locker in 2023. Hive extorted $100 million in ransom payments, according to the US Justice Department, and caused major disruptions including to a hospital that had to go analog in the wake of its attack and couldn’t accept new patients. Ragnar Locker attacked critical infrastructure including a Portuguese national carrier and an Israeli hospital, according to European law enforcement.

The report tracks with findings from Chainalysis, a blockchain data company that recently put out its own report on crypto crime trends. While the firm found a drop in the total value of illegal crypto activity overall in 2023 based on preliminary findings, ransomware revenue increased. Chainalysis suggested “ransomware attackers have adjusted to organizations’ cybersecurity improvements.”