Numerous recent sources have been indicating a resurgence for ransomware in 2023, and perhaps the best evidence yet comes from a new Chainalysis report: for the first time ever, global ransomware payments topped over $1 billion in cryptocurrency.
The Chainalysis “Crypto Crime Report” has been conducted annually since 2018, and even the record-setting years of 2020 and 2021 did not reach quite the heights that 2023 did. This is after a substantial drop in ransomware payments to just $567 million in 2022, something that had some analysts pondering if cyber criminals were putting more emphasis on schemes such as business email compromise.
Ransomware payments over $1 billion, BlackCat/AlphV leads the pack
Ransomware payments totalled $1.1 billion in 2023, up from the previous record of $983 million in 2021. That and 2020 were banner years for ransomware gangs as the Covid-19 pandemic prompted sudden moves to work-from-home models and cloud services, with 2020 seeing $905 million in ransomware payments after only $220 million was logged in 2019.
Some assumptions that were made based on a relative reduction in activity in 2022 now have to be called into question with this and other recent pieces of evidence documenting 2023’s full scope of activity. While ransomware was clearly not going away with the 2022 total of ransomware payments still doubling what was seen in 2019, the general thinking was that the market was “normalizing” after the highs of the pandemic. Insurance companies became much more tight with payments, and potential victims had grown increasingly cautious about attacks. It appears that ransomware outfits found a way to regroup, however, with 538 new variants emerging.
Some data has also pointed to ransomware gangs shifting focus to smaller and less lucrative targets, the kind they did not waste time with during their boom years. But the Chainalysis data indicates that the biggest groups, such as Cl0p and BlackCat, are still “big game hunters” first and foremost. These groups are also demanding larger payments than ever from well-funded entities that they manage to compromise.
In terms of the amount of ransomware payments collected by strain, BlackCat/AlphV and BlackBasta were well ahead of the rest of the competition in both frequency and total amount collected. Dark Angels and Cl0p led the field on average payment size. Some major groups did seem to shift to a model of collecting smaller but more frequent payments from smaller businesses, however, most notably LockBit and Medusalocker.
Cl0p also accounted for about 44% of the entire ransomware payments field by itself in June and July of 2023 with its breach of enterprise file transfer software provider MOVEit, something that it ultimately raked in over $100 million in payments from. That breach saw over 1,800 organizations that subscribed to the software report follow-on breaches, with at least 62 million records of personal information compromised in total.
Ransomware market sees changes, but remains a leading threat
Chainalysis finds that a confluence of factors is driving the seeming renewed interest in ransomware. As with the spike that happened several years ago, it is in part driven by recent upward trends in Bitcoin pricing. Ransomware-as-a-service (RaaS) groups have also become more sophisticated and expanded their services, particularly their offerings for new and non-technical criminals looking to get a piece of the trend.
Crypto prices do not seem to be driving other types of crimes, however. The report says that financial losses due to other types of scams and breaches were actually down in 2023. The analysis concludes that the dip in ransomware in 2022 may have actually been attributable to the Russian invasion of Ukraine kicking off, which caused hackers based in the country (the vast majority of the major ransomware operators) to scramble to adjust their payment systems and infrastructure due to sanctions rolling in.
Even though ransomware payments are at record levels, there has also been a spike in refusals to pay. That points to better backups and preparation on the part of the average victim, and the contraction in the cyber insurance market, but also to a significantly increased amount of successful attempts. The report does not provide information on remediation costs, but these tend to greatly exceed whatever the ransom demand or payment amount was.
While some of the ransomware groups are finding success in switching to a model of more frequent attacks on smaller and more poorly-defended targets, Chainalysis thinks that the overall ransomware market will be driven by the larger groups continuing to focus on targets that they believe will pay out at least $1 million per incident. The “big game hunters” remain the most profitable groups, and it will take even greater numbers of victims refusing to pay before the market begins to destabilize enough to make cyber criminals look elsewhere.