Ransomware payments were at an all time high, passing the $1 billion mark in 2023, according to a new report from blockchain analysis firm, Chainanalysis.
Released last Wednesday, the report details how ransomware actors ramped their operations last year by targeting high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.
Ransomware broke records in payments and increased in scope and complexity of attack in 2023. Gangs carried out major supply chain attacks exploiting the ubiquitous file transfer software MOVEit, impacting companies ranging from the BBC to British Airways.
Several factors likely contributed to the decrease in ransomware activities in 2022, including geopolitical events like the Russian-Ukrainian conflict. This conflict not only disrupted the operations of some cyber actors but also shifted their focus from financial gain to politically motivated cyber attacks aimed at espionage and destruction.
The report notes other factors that played a role in this downturn, which include a reluctance among some Western entities to pay ransoms to certain strains due to potential sanctions risks.
Ransomware group Conti faced issues related to this, suffering from reported links to sanctioned Russian intelligence agencies, exposure of the organization’s chat logs, and overall internal disarray. This led to a decrease in their activities and contributed to the overall reduction in ransomware incidents in 2022.
Researchers noted that many ransomware actors linked to Conti have continued to migrate or launch new strains, making victims more willing to pay.
Read more: HEAL Security secures $4.6 million in funding for healthcare cybersecurity
Read more: Cisco secures US$28B deal to acquire leading cybersecurity firm Splunk
FBI actions in 2022 reduce ransomware payments
Another significant factor in the reduction of ransomware in 2022 was the successful infiltration of the Hive ransomware strain by the Federal Bureau of Investigation (FBI). The report highlights the substantial impact of this single enforcement action. During the infiltration, the FBI provided decryption keys to over 1,300 victims, effectively preventing the need for ransom payments.
The FBI estimates that this intervention prevented approximately USD$130 million in ransom payments to Hive. But the impact of this intervention extends further than that. Total tracked ransomware payments for 2022 currently stand at USD$567 million, indicating that the ransom payments prevented by the Hive infiltration significantly altered the ransomware landscape as a whole last year.
Furthermore, the FBI’s USD$130 million reduced payment estimate may not tell the whole story of just how successful the Hive infiltration was.
That figure only looks directly at ransoms averted through the provision of decryptor keys, but does not account for knock-on effects. The Hive infiltration also most likely affected the broader activities of Hive affiliates, potentially lessening the number of additional attacks they could carry out.
During the six months the FBI infiltrated Hive, total ransomware payments across all strains reached USD$290.35 million. But the report’s statistical models estimate an expected total of USD$500.7 million during that time period, based on attacker behaviour in the months before and after the infiltration.
Based on that figure, it is believed that the Hive infiltration may have averted at least USD$210.4 million in ransomware payments.
Read more: Cybersecurity firm promotes making it illegal to pay ransomware
Read more: Liberty Defense receives TSA funding for passenger security screening upgrade
Ransomware attacks are increasing
Despite the wins in 2022, there were still a number of losses.
In 2023, ransomware attacks escalated significantly in terms of frequency, scope, and volume. Various actors, from large syndicates to smaller groups and individuals, carried out ransomware attacks—and experts say their numbers are increasing. Cybersecurity analyst firm Recorded Future reported 538 new ransomware variants in 2023, pointing to the rise of new, independent groups.
“The Hive investigation is an example of a gold standard for deploying the key services model,” David Walker, the FBI’s Tampa Division Special Agent in Charge, said.
“The FBI continues to see, through its investigations and victim engagements, the significant positive impact actions such as the Hive takedown have against cyber threat actors. We will continue to take proactive disruptive measures against adversaries.”
Some strains, like Cl0p, exemplify the “big game hunting” strategy, carrying out fewer attacks than many other strains, but collecting large payments with each attack.
Big game hunting refers to a strategy where attackers target large, high-value organizations or entities with the capacity to pay significant ransom amounts. Instead of conducting numerous attacks on smaller targets, attackers focus on a smaller number of lucrative victims, typically corporations, government agencies, or other organizations with substantial financial resources.
By infiltrating these high-profile targets, attackers can demand larger ransom payments, often reaching millions of dollars per incident.
Cl0p uses weaknesses and exploits in new software to target rich victims and steal data.
Read more: ‘Gay furry hackers’ hack into nuclear power labs network to ransom employee records
Read more: Terminally ill cybersecurity expert pleads guilty to hospital hack
Organizations are simplifying methods
Other organizations, like Phobos, have adopted the Ransomware as a Service (RaaS) model, where outsiders known as affiliates can access the malware to carry out attacks and pay the strain’s core operators a cut of the ransom proceeds in exchange.
Phobos simplifies the process for less technically sophisticated hackers to execute ransomware attacks by leveraging the typical encryption process. Despite targeting smaller entities and demanding lower ransoms, the RaaS model acts as a force multiplier, enabling the strain to carry out a large quantity of these smaller attacks.
ALPHV-BlackCat, like Phobos, operates as a RaaS strain but is more selective in choosing affiliates to use its malware.
The group actively recruits and interviews potential candidates for their hacking capabilities, enabling them to target bigger victims for larger sums. Additionally, ransomware attackers frequently engage in rebranding and overlapping strain usage.
Administrators often rebrand or launch new strains while affiliates frequently switch between strains or work for multiple simultaneously. Rebrands allow ransomware attackers to distance themselves from strains publicly linked to sanctions or under scrutiny.
Further, rebrands and affiliate switching enable attackers to target the same victims multiple times under different strain names. Blockchain analysis facilitates the identification of ransomware rebrands by revealing on-chain links between wallets of seemingly different strains. An example of this can be seen in the Chainalysis Reactor graph below, illustrating links between the Trickbot administrator known as Stern, Royal ransomware, and its newer iteration known as 3am.
The frequency of rebranding, especially among actors behind the biggest and most notorious strains, reminds us that the ransomware ecosystem is smaller than the large number of strains would suggest.
.