Ransomware payments set to hit a new high in 2023 - here's how to stay safe

(Image credit: Pixabay)

Cybercrime related to cryptocurrencies overall has significantly dropped this year, compared to previous years, but the rise in ransomware attacks is showing no signs of abating. 

This is according to a new report from Chainalysis, which claims attackers managed to extort $175.8 million more in 2023, compared to the same time last year, stealing at least $449.1 million through June.

“If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021’s $939.9 million,” Chainalysis added. 

This year-on-year growth could signal, the researchers further state, that the downward trend we’ve been experiencing lately, has come to an end. 

One of the reasons for this reversal, Chainalysis argues, is that hackers have, once again, become interested in “big game hunting”. They have started going after large, deep-pocketed organizations, and it seems to have paid off. Another reason could be that the hackers were more successful last year. The number of successful small attacks has also grown, they added.

The most successful threat actor is Clop, an infamous threat actor linked to the Russian government. Its average payment size for 2023 was $1,730,486, while its median payment size was $1,946,335. Clop is best known for having breached multiple managed file transfer solutions, through which they stole sensitive data on hundreds of large organizations. Most of these were later asked for payment in exchange for deleting the data.

Analysis: Why does it matter? 

Some researchers have argued that the ransomware forest fire that’s been raging for the better part of the last decade has slowly started to dwindle. With a few major players arrested, and their infrastructure dismantled, the industry was hopeful that ransomware will lose its appeal among cybercriminals. This was further aided by raised awareness among key targets - critical infrastructure operators, government organizations, healthcare firms, and small and medium-sized organizations. 

Businesses have started deploying air-gapped backups, better access controls, strong firewalls, malware removal and antivirus programs, multi-factor authentication, and more. Furthermore, they started educating their employees on the dangers of phishing and social engineering, which is almost exclusively the initial attack vector in a ransomware campaign. This allowed the victim organizations to refrain from paying the ransom demands, which in turn, resulted in threat actors losing interest. 

Now, Chainalysis’ new report suggests that ransomware operators might be coming back with a vengeance, and that they’re targeting primarily large organizations. 

A ransomware attack usually starts with the attacker initiating contact with an employee, either via email, or through social media channels. After a little back-and-forth, they’ll try and get the victim to download and run a malicious attachment capable of exploiting different software flaws. If successful, they will have established a foothold on the target networks, after which they’d map out the network and identify key endpoints, data, and systems.

Then, at an appropriate moment, they’ll exfiltrate the data and encrypt the systems, demanding payment in cryptocurrencies in exchange for the decryption key. If the organization declines, the stolen data gets published or sold on the dark web. 

In recent times, some groups abandoned encrypting systems, probably because developing, running, and maintaining the ransomware is hard (and expensive) work. Instead, they just go for data theft and threaten to leak it if the payment isn’t met.

What have others said about the report? 

In its writeup, Wired says ransomware groups became “more aggressive and reckless” about publishing sensitive and potentially damaging stolen information.

“In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish "personal information and research" if the university didn’t pay up,” the publication states. Speaking to Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, the publication learned hackers were possibly short on cash last year, which played a major role: 

“We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” Burns was cited as saying. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”

Koven also added that the development in the Russia-Ukraine conflict also played a role in the resurgence of ransomware: “I really think the tide of the Russia-Ukraine conflict has impacted these numbers,” Koven said. “Whether that’s actors have settled into safe locations, whether their year of military service has finished, or whether perhaps there’s a mandate to release the hounds.”

SC Media added that the “sudden disappearance of two major investment scams” may explain the revenue fall, to some extent. These were Vidilook and the Chai Tai Tianqing Pharmaceutical Financial Management who, among themselves, stolen “hundreds of millions of dollars."

Go deeper

If you want to learn more on the topic, start by reading our guide on ransomware, as well as what is blockchain and how cryptocurrencies work. Furthermore, make sure to read our in-depth guides on the best malware removal and best endpoint protection software

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.