A year ago, there seemed to be a glimmer of hope in the cybersecurity industry’s long-running war of attrition against ransomware gangs. Fewer corporate victims of those hackers, it seemed, had paid ransoms in 2022, and cybercriminals were earning less from their ruthless attacks. Perhaps the cocktail of improved security measures, increased focus from law enforcement, international sanctions on the ransomware operators, and scrutiny of the cryptocurrency industry could actually beat the ransomware scourge.
Well, no. That respite appears to have been a mere hiccup on ransomware’s trajectory to become one of the world’s most profitable, and perhaps the most disruptive, form of cybercrime. In fact, 2023 was its worst year ever.
On Wednesday, cryptocurrency-tracing firm Chainalysis published new numbers from its annual crime report showing that ransomware payments exceeded $1.1 billion in 2023, based on its tracking of those payments across blockchains. That’s the highest number Chainalysis has measured for a single year, and nearly twice as much as the year before. Indeed, the company now describes 2022’s relatively low $567 million in ransom payments as an “anomaly,” as total extortion transactions have steadily grown since 2020 towards their current 10-figure record.
“It’s like we’ve picked up right where we left off, the real onslaught during Covid in 2020 and 2021,” says Jackie Burns Koven, head of threat intelligence at Chainalysis. “It feels very gloves-off.”
That record-breaking $1 billion-plus in extortion payments was a result, in part, of the sheer number of ransomware attacks in 2023. Cybersecurity firm Record Future counted 4,399 ransomware attacks last year, based on news reports and ransomware gangs’ public listings of victims on their dark-web sites, a tactic the groups often use to pressure victims while threatening to release their stolen data. That’s compared to just 2,581 total attacks in 2022 and 2,866 in 2021.
The spike in the number of attacks appears to have offset a more positive trend: By some counts, fewer victims of ransomware are paying the ransoms that hackers demand. According to data from the incident response firm Coveware, which frequently negotiates with ransomware gangs on behalf of victims, only 29 percent of ransomware victims paid a ransom in the fourth quarter of 2023, a dramatic drop from payment rates between 70 percent and 80 percent for most of 2019 and 2020.
Even as fewer victims are paying, however, the total sum collected by ransomware gangs is nonetheless growing as more cybercriminals are drawn to a lucrative industry and carry out more attacks. Allan Liska, a threat intelligence analyst at Recorded Future, argues that the highly public nature of ransomware serves as a kind of advertising, constantly pulling in more opportunistic hackers, like sharks who smell blood in the water. “Everybody sees all these ransomware attacks,” Liska says. “Criminals tend to flock to where they see the money being made.”
Total annual ransomware payments over time.
Will Knight
Jon Brodkin, Ars Technica
David Gilbert
Simon Hill
Chainalysis notes that the record $1.1 billion in ransoms paid in 2023 was also driven by ransomware hackers demanding larger sums from victims, many of whom were carefully chosen for both their inability to tolerate a crippling attack and their ability to pay—what Chainalysis’ Burns Koven calls “big game hunting.” That resulted in close to 75 percent of ransomware payments’ total value coming from transactions topping the $1 million mark in 2023, compared to just 60 percent in 2021.
Given ransomware’s cutthroat evolution, 2022’s dip in total payments now seems to represent a rare aberration. Chainalysis and other security firms explain that off year by pointing to the war in Ukraine—which disrupted Ukrainian ransomware operators, distracted Russian ones pulled into political hacking, and caused strife within ransomware groups with mixed loyalties—as well as international sanctions that dissuaded victims from paying ransoms and major law enforcement crackdowns.
In one case, for instance, the prolific ransomware group known as Conti disbanded after one of its leaders posted a statement in support of Russia’s war in Ukraine and another dissented by leaking a vast trove of the group’s internal communications. Many of Conti’s members then reformed under the brand of the Hive ransomware operation—which turned out to have been infiltrated for months by the FBI and other agencies who were quietly stealing the group’s decryption keys to foil hundreds of their extortion attempts. Chainalysis estimates that that sting alone likely prevented more than $200 million in ransomware payments. “The dissolution of Conti was almost a perfect storm,” says Burns Koven.
Last year, by contrast, was characterized by a different type of chaos: The Cl0p ransomware group manipulated a loophole in the MOVEit file transfer application to infiltrate thousands of victims, meticulously sorting through them to identify the most high-value targets. Among them were several medical establishments and government entities holding millions of sensitive documents. In total, at least 62 million individuals were affected, with Cl0p earning over $100 million from this widespread exploitation. In June of 2023, Cl0p’s earnings was responsible for 45 percent of all ransom payments and 39 percent in July, as per Chainalysis’s figures.
The ongoing expansion of the ransomware business—costing victims much more than the $1.1 billion paid in 2023—might seem like a proof of unsuccessful efforts to clamp down on cryptocurrency crimes. Since the start of the decade, authorities and regulators have targeted not only ransomware groups, but also rogue exchanges and “mixers” that often function as money laundering tools allowing cybercriminals to cash out their crypto earnings.
However, Burns Koven contends that the record-setting ransom total of 2023 does not imply that the crypto crackdown is ineffective. In her opinion, it has compelled ransomware groups to constantly seek new laundering techniques and, in some instances, required them to hold ransom payments for several years before attempting to convert that illicit crypto, due to the fear of it being seized or frozen. She suggests that quicker reporting to law enforcement from victims who settle ransoms—quicker than Chainalysis or other crypto-tracing companies can detect those payments on blockchains—could offer additional help in tracking down these funds and preventing them from being converted.
“The optimal way to reduce these numbers is by affecting that laundering and cash-out process,” observes Burns Koven. She argues that beyond eye-catching law enforcement measures like the Hive intervention, “there’s also operational friction and paralysis contributing to slowing down some of their operations and profit-making capacity.”
For now, though, ransomware is looking anything but stagnant. And if tightening the screws on money launderers—or the victims paying ransoms, or the hackers themselves—has any chance of solving the problem, those screws aren’t tight enough yet.