The crypto ransomware landscape saw an increase in scope, attack frequency, and volume in 2023. The attacks inflicted damages of $1.1 billion in cryptocurrencies, according to Chainalysis’ 2024 Crypto Crime Report.
According to the report, one of the winning strategies is now “big game hunting,” where cybercriminals aim to collect larger payments when successful. More than 75% of crypto ransomware revenue was made up of amounts exceeding $1 million.
Chainalysis researchers found a plethora of new players and offshoots of ransomware strains in 2023. The growing ease of access to Ransomware as a Service (RaaS) has widened the ecosystem. External entities can access malware to carry out attacks in return for a share of the profits.
Crypto ransomware attacks are becoming easier
According to Chainalysis, the proliferation of so-called initial access brokers (IABs) has made crypto ransomware attacks easier for bad actors. These brokers penetrate victims’ networks and then sell that access to ransomware perpetrators for very low sums. In combination with off-the-shelf RaaS, it’s now far easier to carry out a crypto ransomware attack and requires far fewer technical skills.
Monitoring IAB wallets could give early warning signs and enable timely intervention. Chainalysis further reports a substantial decline in funds received by illicit cryptocurrency addresses last year. This amount was down to $24.2 billion. These figures are not fixed, though, as not all illegal addresses have been identified, and the amount is probably much higher. In comparison, Chainalysis first estimated illicit transactions amounted to $20.6 billion in 2022, but they ended up being $39.6 billion. A lot of that growth came from highly active addresses that sanctioned platforms hosted.
This amount excludes revenue from non-crypto native crime, such as traditional drug trafficking, where crypto is used to pay for illegal goods.
Stablecoins replace Bitcoin as top choice among cybercriminals
Bitcoin was the most popular crypto for illegal activity until 2021, probably because of its high liquidity. Currently, most illegal transactions are conducted in stablecoins, including crypto ransomware transactions. This change comes in parallel to stablecoin growth in the share of all crypto activity overall, including legal transactions.
Crypto ransomware extortion, darknet market sales, and other forms of illicit cryptocurrency activity still take place mainly in Bitcoin. Scams and transactions linked to sanctioned platforms have shifted to stablecoins. Those are the primary forms of crypto-related crime by transaction volume as well. Sanctioned platforms have a bigger incentive to use stablecoins because it’s harder for them to access the US dollar through conventional channels, and stablecoins allow them to benefit from the fiat currency’s stability. The only positive aspect here is that stablecoin issuers can freeze assets when they intercept illegal activity, as Tether did with addresses linked to human trafficking and terrorism.
Crypto ransomware and darknet markets are two primary forms of crypto crime, with increasing proceeds in 2023 and so far in 2024. This tendency suggests that crypto ransomware attackers found ways to overcome cybersecurity improvements.
The increase in darknet market revenue comes after a revenue decline in 2022. According to Chainalysis, the shutdown of Hydra largely drove that decline. At one time, Hydra captured over 90% of all darknet market revenue. The darknet sector is recovering, with total proceeds returning to 2021 peaks.
Other crypto ransomware trends
The main infection vector for crypto ransomware involves exploiting weaknesses in public-facing applications. It was botnets in the past. Ransomware attackers are doing away with malware and turning to legitimate software, either OS features or dual-use tools. The most commonly used software is Windows operating system components. The three most popular tools among crypto ransomware attackers are PsExec, PowerShell, and WMI.
Attackers commonly use remote desktop software such as Atera, AnyDesk, ConnectWise, and Splashtop.
Major decline in scams and stolen funds
There was a significant decline in crypto hacking and scamming revenue, with total illegal proceeds for each down 54% and 29%, respectively. Romance scams remain popular, where scammers build relationships with lonely people to cheat them out of their savings. The scam is harder to uncover because the “investment opportunities” are not publicized. Reports of crypto investment scams are increasing in the US, but data suggests scam proceeds globally have been declining since 2021. This is due to the prolonged bear market and fewer opportunities to get rich quickly.
Sharp drop-off in DeFi hacks
Crypto hacking is difficult to conceal, which is why there has been a significant decline. This decline is mainly driven by a sharp drop in DeFi hacks. This might mean that DeFi protocols’ security practices are improving. It may be premature to celebrate as a single large hack could change the trend again.
Increasing sanctions risks for global crypto platforms
OFAC sanctioned Russia-based exchange Garantex in the UK for laundering money on behalf of crypto ransomware attackers and other cybercriminals. The platform was among the biggest drivers of transaction volume linked with sanctioned entities last year. As Russia does not sanction Garantex, it continues to operate. Exposure to Garantex presents risks for crypto platforms subject to UK or US laws, which means those platforms must exercise extreme caution and screen for exposure to platforms like it in order to remain compliant.
Future tendencies in crypto ransomware
Cryptocurrencies are and will always be a key component of the ransomware business model. According to experts, the SEC’s approval of crypto ETFs has pushed them back into the spotlight, and attackers are readier to pounce than ever. There will be ransomware as long as there is crypto, to put it in the simplest terms.
Another trend that will continue is vulnerability exploitation. More and more attackers are seeing the value in exploiting recently patched vulnerabilities. They start checking for unpatched systems as soon as someone releases a software patch.
The tendency to rely on data theft to perpetrate extortion will also continue. It takes a lot of effort to encrypt data. Many entities have been able to carry out encryption-free attacks.
We can be sure crypto ransomware will remain a persistent threat to all entities regardless of their size. It would be wise to apply a defense-in-depth strategy using numerous protection, detection, and hardening technologies. They would minimize risk at each vector of a potential attack. Moreover, organizations should work on deepening their expertise of the currently used infection vectors commonly deployed in crypto ransomware attacks. This data will help identify potential vulnerabilities and augment a defensive posture.