A year ago, there seemed to be a glimmer of hope in the cybersecurity industry’s long-running war of attrition against ransomware gangs. Fewer corporate victims of those hackers, it seemed, had paid ransoms in 2022, and cybercriminals were earning less from their ruthless attacks. Perhaps the cocktail of improved security measures, increased focus from law enforcement, international sanctions on the ransomware operators, and scrutiny of the cryptocurrency industry could actually beat the ransomware scourge.
Well, no. That respite appears to have been a mere hiccup on ransomware’s trajectory to become one of the world’s most profitable, and perhaps the most disruptive, form of cybercrime. In fact, 2023 was its worst year ever.
On Wednesday, cryptocurrency-tracing firm Chainalysis published new numbers from its annual crime report showing that ransomware payments exceeded $1.1 billion in 2023, based on its tracking of those payments across blockchains. That’s the highest number Chainalysis has measured for a single year, and nearly twice as much as the year before. Indeed, the company now describes 2022’s relatively low $567 million in ransom payments as an “anomaly,” as total extortion transactions have steadily grown since 2020 towards their current 10-figure record.
“It’s like we’ve picked up right where we left off, the real onslaught during Covid in 2020 and 2021,” says Jackie Burns Koven, head of threat intelligence at Chainalysis. “It feels very gloves-off.”
That record-breaking $1 billion-plus in extortion payments was a result, in part, of the sheer number of ransomware attacks in 2023. Cybersecurity firm Record Future counted 4,399 ransomware attacks last year, based on news reports and ransomware gangs’ public listings of victims on their dark-web sites, a tactic the groups often use to pressure victims while threatening to release their stolen data. That’s compared to just 2,581 total attacks in 2022 and 2,866 in 2021.
The spike in the number of attacks appears to have offset a more positive trend: By some counts, fewer victims of ransomware are paying the ransoms that hackers demand. According to data from the incident response firm Coveware, which frequently negotiates with ransomware gangs on behalf of victims, only 29 percent of ransomware victims paid a ransom in the fourth quarter of 2023, a dramatic drop from payment rates between 70 percent and 80 percent for most of 2019 and 2020.
Even as fewer victims are paying, however, the total sum collected by ransomware gangs is nonetheless growing as more cybercriminals are drawn to a lucrative industry and carry out more attacks. Allan Liska, a threat intelligence analyst at Recorded Future, argues that the highly public nature of ransomware serves as a kind of advertising, constantly pulling in more opportunistic hackers, like sharks who smell blood in the water. “Everybody sees all these ransomware attacks,” Liska says. “Criminals tend to flock to where they see the money being made.”
Chainalysis notes that the record $1.1 billion in ransoms paid in 2023 was also driven by ransomware hackers demanding larger sums from victims, many of whom were carefully chosen for both their inability to tolerate a crippling attack and their ability to pay—what Chainalysis’ Burns Koven calls “big game hunting.” That resulted in close to 75 percent of ransomware payments’ total value coming from transactions topping the $1 million mark in 2023, compared to just 60 percent in 2021.
Given ransomware’s cutthroat evolution, 2022’s dip in total payments now seems to represent a rare aberration. Chainalysis and other security firms explain that off year by pointing to the war in Ukraine—which disrupted Ukrainian ransomware operators, distracted Russian ones pulled into political hacking, and caused strife within ransomware groups with mixed loyalties—as well as international sanctions that dissuaded victims from paying ransoms and major law enforcement crackdowns.
In one case, for instance, the prolific ransomware group known as Conti disbanded after one of its leaders posted a statement in support of Russia’s war in Ukraine and another dissented by leaking a vast trove of the group’s internal communications. Many of Conti’s members then reformed under the brand of the Hive ransomware operation—which turned out to have been infiltrated for months by the FBI and other agencies who were quietly stealing the group’s decryption keys to foil hundreds of their extortion attempts. Chainalysis estimates that that sting alone likely prevented more than $200 million in ransomware payments. “The dissolution of Conti was almost a perfect storm,” says Burns Koven.
Last year, by contrast, saw a perform storm of a very different kind: The Cl0p ransomware group exploited a vulnerability in the MOVEit file transfer application to compromise thousands of victims, combing through them for the most high-value targets. Several were medical companies and government agencies holding millions of sensitive records. In total, at least 62 million people were affected, and Cl0p reaped more than $100 million from that mass exploitation, accounting for 45 percent of all ransom payments in June of 2023 and 39 percent in July by Chainalysis’ count.
The continued growth of the ransomware business—whose disruption for victims, it should be noted, costs well beyond the $1.1 billion that some of them paid in 2023—may seem like a sign of failure for the continued crackdown on cryptocurrency crime: Since the beginning of the decade, regulators and law enforcement have been going after not just ransomware groups, but the rogue exchanges and “mixers” that often serve as money laundering tools that allow cybercriminals to cash out their crypto profits.
Burns Koven argues, however, that even 2023’s record-breaking ransom total doesn’t mean the crypto crackdown isn’t working. In fact, she says, it’s driven ransomware groups to constantly seek new laundering methods and, in some cases, forced them to hold on to ransom payments for years before they attempt to cash out that dirty crypto, for fear that it will be frozen or seized. She adds that faster reporting to law enforcement from victims who pay ransoms—faster even than Chainalysis or other crypto-tracing firms can spot those payments on blockchains—could further aid in chasing down those funds and preventing them from being liquidated.
“The best way to bring these numbers down is to impact that laundering and cashing-out process,” says Burns Koven. Beyond even flashy law enforcement operations like the Hive takeover, she says that “there’s also operational friction and paralysis that contributes to stagnating some of their operations and ability to profit.”
For now, though, ransomware is looking anything but stagnant. And if tightening the screws on money launderers—or the victims paying ransoms, or the hackers themselves—has any chance of solving the problem, those screws aren’t tight enough yet.