Last year, ransomware payments soared past the $1 billion mark, marking a significant escalation in this form of cyberattack, according to a report released by Chainalysis, a blockchain analytics vendor. The company described 2023 as a “watershed” year for ransomware.
In contrast, 2022 was viewed as a relatively slow year for ransomware. CrowdStrike data showed a drop in the average ransom payment from $5.7 million in 2021 to $4.1 million in 2022. Additionally, Mandiant reported responding to 15% fewer ransomware incidents in 2022 compared to the previous year. Despite these declines, experts warned that the reality was more complex than the numbers suggested.
One significant trend in 2022 was that some threat actors shifted from ransomware attacks to data extortion-only attacks, in which cybercriminals stole data without encrypting victim networks in the hopes of getting paid. Also, the invasion of Ukraine by Russia diverted attention away from financially motivated cybercrime and towards politically motivated attacks.
However, new research and observations detailed in a blog post published by Chainalysis on Wednesday revealed that 2023 saw a “major comeback” for ransomware. According to the company, ransomware payments amounted to $1.1 billion in 2023, the highest figure ever recorded, compared to $567 million in 2022 and $983 million in 2021.
The blog post cautioned that these figures were conservative estimates and could increase as new ransomware addresses are uncovered over time. Additionally, the vendor considered 2022 to be an “anomaly” due to a variety of factors, including the FBI’s takedown of the Hive ransomware gang.
The expansion of ransomware as a service (RaaS) and several large-scale ransomware attacks characterized the ransomware landscape in 2023. Chainalysis noted that tactics and affiliations among threat actors shifted, RaaS strains continued to spread, and attack execution became more swift and aggressive.
One of the most notorious examples of large-scale extortion activity was the massive campaign initiated by the Clop gang against customers of Progress Software’s managed file transfer product MoveIt Transfer, utilizing a zero-day vulnerability in the product. Since the start of Clop’s campaign, the gang received more than $100 million in ransom payments, making up a significant portion of all ransomware revenue in June and July.
This report provides a more detailed perspective on previous Chainalysis research. The company introduced the “2024 Crypto Crime Trends” report, showing an overall decline in illicit cryptocurrency activity in 2023 compared to 2022. This included a decrease in cryptocurrency scamming and hacking but warned that ransomware activity had risen and reversed the sharp decline observed in 2022.
Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, emphasized the importance of disrupting the entire ransomware supply chain, including developers, affiliates, infrastructure service providers, launderers, and cash-out points. She stressed the need to focus on the individuals behind ransomware strains, naming and shaming them, and applying sanctions to disrupt their activities.
The company’s findings underscore the ongoing and evolving threat that ransomware poses, requiring continued vigilance and innovative strategies to combat this form of cybercrime.