NEWS: Ransomware Victims Pay Out a Record-Breaking $1.1 Billion in 2023

February 21, 2024

The Escalation of Ransomware Attacks in 2023


Throughout 2023, malicious actors specializing in ransomware significantly amplified their assault on prominent entities and essential infrastructure. These included healthcare facilities, educational institutions, and government bodies. Noteworthy supply chain attacks, exploiting widely used file transfer software such as MOVEit, affected a broad spectrum of organizations – from broadcasting giant BBC to the renowned British Airways. The culminating effect of these and other similar intrusions led ransomware syndicates to an unprecedented feat – amassing over $1 billion in extorted digital currency payments from their victims. The developments of the past year underscore the progressive nature of this cyber menace and its mounting impact on international institutions and overall security.


A Turning Point for Ransomware


The year 2023 marked a significant resurgence for ransomware, characterized by a record-breaking surge in payments and a substantial escalation in the scale and sophistication of attacks. This was a marked contrast to the downturn observed in 2022, a trend we had cautioned about in our Mid-Year Crime Update. Ransomware payments in 2023 exceeded the $1 billion threshold, the highest figure ever recorded. Despite a reduction in the volume of ransomware payments in 2022, the overall trajectory from 2019 to 2023 suggests an escalating issue with ransomware. It’s important to remember that this figure doesn’t account for the economic repercussions of lost productivity and recovery expenses linked to these attacks. Cases like the audacious targeting of MGM resorts by ALPHV-BlackCat and Scattered Spider exemplify this, with MGM estimating damages costing the company upwards of $100 million, despite not paying the demanded ransom.


The Continually Expanding Ransomware Landscape


The ransomware landscape is not just prolific but continuously expanding, posing a challenge to keep track of every incident or trace all ransom payments made in digital currencies. Our figures represent conservative estimates, with the potential to rise as new ransomware addresses are uncovered over time. For example, our initial reporting for 2022 in last year’s crime report indicated $457 million in ransoms, a figure that has since been adjusted upward by 24.1%.


2022 – A Deviation, Not a Pattern


A combination of factors likely led to the reduction in ransomware activities in 2022, including geopolitical events such as the Russian-Ukrainian conflict. This conflict not only disrupted the operations of some cyber actors but also shifted their focus from financial gain to politically motivated cyberattacks intended for espionage and destruction. As we highlighted in our 2023 Crypto Crime Report, other contributing factors to this downturn included hesitance among some Western entities to pay ransoms to specific strains due to potential sanctions risks. The ransomware strain Conti, in particular, faced complications due to its reported ties to sanctioned Russian intelligence agencies, the exposure of the organization’s internal communications, and overall internal turmoil. This led to a decrease in their activities and contributed to the overall reduction in ransomware incidents in 2022. However, researchers have observed that many ransomware actors associated with Conti have continued to migrate or launch new strains, making victims more inclined to pay.


Law Enforcement’s Response to Ransomware: The Hive Intervention


A significant factor in the reduction of ransomware in 2022 was the successful penetration of the Hive ransomware strain by the Federal Bureau of Investigation (FBI), as announced by the Department of Justice early in 2023. Our analysis emphasizes the considerable impact of this single enforcement action. During the Hive infiltration, the FBI managed to supply decryption keys to over 1,300 victims, effectively eliminating the need for ransom payments. The FBI estimates that this intervention prevented approximately $130 million in ransom payments to Hive. But the influence of this intervention extends beyond that. The total tracked ransomware payments for 2022 currently stand at just $567 million, indicating that the ransom payments averted by the Hive infiltration significantly reshaped the ransomware landscape last year.


The Full Impact of the FBI’s Hive Operation: A Comprehensive Analysis


The $130 million that the FBI saved by infiltrating Hive doesn’t provide a complete picture of the operation’s success. This figure only considers the ransoms that were avoided by supplying the decryptor keys and doesn’t take into account the ripple effects. The Hive operation likely had a wider impact on Hive affiliates’ operations, potentially reducing the number of additional attacks they could launch.


During the six months the FBI was within Hive, the total ransomware payments across all strains amounted to $290.35 million. However, our statistical models predict a total of $500.7 million for that period, based on the behavior of attackers in the months before and after the operation. This is a cautious estimate. Given this figure, we estimate that the Hive operation may have prevented at least $210.4 million in ransomware payments.


David Walker, the Special Agent in Charge of the FBI’s Tampa Division, provided further insights into the significance of the operation. He stated, “The Hive investigation exemplifies the gold standard for implementing the key services model. The FBI continues to witness the significant positive impact of actions like the Hive takedown on cyber threat actors through its investigations and victim engagements. We will persist in implementing proactive disruptive measures against adversaries.”


The Resurgence of Ransomware: A Look at the 2023 Threat Landscape


In 2023, there was a significant increase in the frequency, scale, and volume of ransomware attacks. These attacks were conducted by a diverse range of actors, from large syndicates to smaller groups and individuals, and their numbers are on the rise, according to experts. Allan Liska, a Threat Intelligence Analyst at cybersecurity firm Recorded Future, stated, “We are witnessing a significant increase in the number of threat actors carrying out ransomware attacks.” In 2023, Recorded Future reported 538 new ransomware variants, indicating the emergence of new, independent groups.


The graph below shows the most active ransomware strains by quarter from the start of 2022 through 2023. There are also significant variations in the victimization strategies of the top ransomware strains, as shown in the chart below, which plots each strain’s median ransom size against its attack frequency. The chart also shows a number of new entrants and offshoots in 2023, who are known to reuse existing strains’ code. This suggests a rising number of new actors, drawn by the potential for high profits and lower entry barriers.


The Changing Tactics of Ransomware Strains


Some strains, such as Cl0p, embody the “big game hunting” strategy, conducting fewer attacks than many other strains, but collecting large payments with each attack. Cl0p exploited zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims simultaneously, prompting the strain’s operators to adopt a strategy of data exfiltration instead of encryption.


Over the past few years, big game hunting has emerged as the dominant strategy, with an increasing share of all ransomware payment volume consisting of payments of $1 million or more.


Other strains, like Phobos, have adopted the Ransomware as a Service (RaaS) model, where outsiders, known as affiliates, can access the malware to conduct attacks, and in return, pay the strain’s core operators a portion of the ransom proceeds. Phobos simplifies the process for less technically advanced hackers to launch ransomware attacks, using the typical encryption process that is the hallmark of ransomware. Despite targeting smaller entities and demanding lower ransoms, the RaaS model increases the strain’s capacity to conduct a large number of these smaller attacks.


ALPHV-BlackCat is another RaaS strain like Phobos, but it is more selective about the affiliates it allows to use its malware, actively seeking and interviewing potential candidates for their hacking abilities.


The Evolution of Ransomware Attacks: A Closer Look at the Tactics and Tools


The landscape of ransomware attacks is ever-evolving, with groups constantly adapting their strategies to target larger entities for more substantial ransoms. One common tactic is the rebranding of ransomware strains or the simultaneous use of several strains by affiliates. This strategy allows attackers to disassociate themselves from strains that have been publicly sanctioned or have attracted too much attention. Furthermore, it enables them to strike the same victims under different strain names, thus increasing their chances of success.


The Rise of Ransomware-as-a-Service (RaaS) and Initial Access Brokers (IABs)


The proliferation of Ransomware-as-a-Service (RaaS) and hacking tools has simplified the process of launching a successful ransomware attack. This development has been further facilitated by the emergence of Initial Access Brokers (IABs), who infiltrate potential victims’ networks and sell the access to ransomware attackers for a nominal fee.


Our research has identified a correlation between the flow of funds into IAB wallets and a surge in ransomware payments. This suggests that monitoring IAB activities could offer early warning signs and open up opportunities for intervention and mitigation of attacks. The combination of IABs and RaaS has significantly reduced the technical skills required to execute a successful ransomware attack. Andrew Davis, General Counsel at Kivu Consulting, a cybersecurity incident response firm, sheds more light on this phenomenon.


“The surge in attack volume can be attributed to the ease of access provided by the affiliate model and the adoption of ransomware-as-a-service, an alarmingly effective business model for cybercriminals,” Davis explains.


Tracking Ransomware Funds: The Journey and Destination


Understanding how ransomware funds move is crucial in identifying the methods and services used by threat actors. This knowledge enables law enforcement agencies to target and disrupt the financial networks and infrastructure of these actors.


It’s worth noting that threat actors may take a considerable amount of time to launder their ransomware proceeds. The laundering observed in 2023, for instance, includes proceeds from attacks that took place in the past.


Historically, centralized exchanges and mixers have been the go-to methods for laundering ransomware payments. However, 2023 witnessed the adoption of new laundering services such as bridges, instant exchangers, and gambling services. This shift is likely due to the disruption of preferred laundering methods, the implementation of stricter Anti-Money Laundering (AML) and Know Your Customer (KYC) policies by some services, and the unique laundering preferences of new ransomware actors.


Concentration of Laundering Services and Lessons from 2023


There is a significant concentration of specific services within each category that ransomware actors use for laundering. Exchanges exhibit the lowest level of concentration, while gambling services, cross-chain bridges, and sanctioned entities show the highest levels. Mixers, no-KYC exchanges, and underground exchanges fall in between, with about half of all funds from ransomware wallets going to one service.


The concentration of mixers may have increased due to the takedown of Chipmixer, a popular choice for ransomware attackers. This concentration might expose ransomware actors to bottlenecks, making them vulnerable as law enforcement could disrupt operations by targeting a relatively small number of services.


The ransomware landscape underwent significant changes in 2023, characterized by shifts in tactics and affiliations among threat actors, as well as the continued spread of RaaS strains.


Enhanced Speed and Efficacy in Cyber Attacks


The year 2023 witnessed a significant shift in the strategies employed by cybercriminals. The speed of attack execution was notably improved, indicating a more aggressive and efficient modus operandi. The constant shuffling of affiliates underlines the fluid dynamics of the ransomware underworld, as well as the relentless pursuit of more profitable extortion strategies.


Adapting to Changing Landscapes


Despite the ever-evolving tactics of threat actors, they consistently demonstrate their ability to adapt to changes in regulations and law enforcement actions. However, 2023 was not without its triumphs in the battle against ransomware. These victories were largely due to the collaborative efforts of international law enforcement, impacted organizations, cybersecurity companies, and blockchain intelligence.


Law Enforcement’s Proactive Stance


Lizzie Cookson from Coveware highlighted the importance of these collaborative efforts, citing the successful takedown of Hive and the disruption of BlackCat as prime examples. She noted, “These operations underscore the FBI’s commitment to assisting victims, providing aid, and imposing penalties on malicious actors.” Andrew Davis of Kivu Consulting echoed these sentiments, observing an increase in proactive involvement from law enforcement. This indicates a more resolute and determined approach to providing support to victims and tracking down cybercriminals.