Ransomware attacks netted payments exceeding $1 billion globally for the first time in 2023, according to data published Wednesday.
Zero-day exploits, including the MOVEit hack, the spread of ransomware-as-a-service (RaaS) and “big game hunting” attacks seeking ransomware payments of $1 million or more helped drive record-breaking numbers, according to blockchain analysts at Chainalysis.
The $1.1 billion in ransomware payments tracked in 2023 represents a rebound from relatively low ransomware revenue in 2022. Total ransomware payments that year dropped to $567 million from $983 million in 2021.
Chainalysis’ report cite geopolitical factors and law enforcement disruption as causes for this “anomaly.” The Russia-Ukraine war shifted focus from financial gain to politically motivated cyberattacks for some threat actors, analysts said, and increased Western organizations’ reluctance to pay ransom due to fear of sanctions.
Additionally, the FBI estimated its infiltration of the Hive ransomware group during the second half of 2022 prevented about $130 million in ransom payments by Hive victims.
$1 million-plus ransomware payments make up growing share of payment volume
Ransomware groups are increasingly collecting ransom payments of $1 million or more, using a strategy known as “big game hunting.” This strategy was exemplified in the MOVEit supply chain attack conducted by Cl0p, the analysts said.
A zero-day vulnerability in the MOVEit file transfer service in mid-2023 was leveraged by Cl0p to target several large companies and other entities that use the service. Overall, more than $100 million in ransom payments were made by MOVEit breach victims, Chainalysis found.
While Cl0p received fewer ransom payments overall compared with other prominent ransomware groups, it saw a median payment size of more than $1 million in 2023, Chainalysis data shows.
Overall, “big game” ransom payments continue to make up a growing share of overall payment volume, having risen from less than 60% of payments in the second half of 2021 to nearly 80% of payments by the end of 2023.
Rise of RaaS lowers bar for conducting ransomware attacks
Malwarebyte’s 2024 ThreatDown State of Malware report found the overall number of known ransomware attacks increased by 68% in 2023, with LockBit being the most active ransomware group, followed by fellow RaaS providers ALPHV/BlackCat, Cl0p and Play.
RaaS providers, along with initial access brokers, are helping drive the rise in ransomware payments by lowering the bar for less sophisticated attackers to target and extort victims, according to Chainalysis.
RaaS has become increasingly prominent over the last few years, with Kapersky researchers finding mentions of RaaS in dark web communities surpassed infostealers for the first time in 2020 and further rising well above botnets, loaders and backdoors in 2021 and 2022. Between 2015 and 2022, ransomware made up approximately 58% of malware-as-a-service (MaaS) families studied.
Initial access brokers (IABs), which hack into organizations and sell access to victim networks to other threat actors, are also an increasing problem. CrowdStrike noted a 147% in IAB advertisements among cybercrime circles in its 2023 Threat Hunting Report.
Chainalysis noted that, in addition to the impact of big game ransomware gangs, smaller attacks enabled by “off-the-shelf” RaaS have also made a dent. For example, the Phobos ransomware strain, which yielded median ransom payments of less than $1,000, topped the list in frequency of ransom payments in 2023.
“Despite targeting smaller entities and demanding lower ransoms, the RaaS model is a force multiplier, enabling the strain to carry out a large quantity of these smaller attacks,” the analysts said.