Ransomware hackers had a good year in 2023, raking in $1.1 billion from victims to set a new annual record, according to blockchain monitoring firm Chainalysis.
That’s a huge reversal from 2022, when ransomware payments only brought in an estimated $567 million—a steep dive from previous years. But it looks like the decline was a one-off. The latest data from Chainalysis shows ransomware groups made a comeback in 2023, thanks to an influx of new hackers and some major attacks netting millions in payments.
Chainalysis arrived at the $1.1 billion estimate by tracking cryptocurrency payments to digital wallets connected to hacking groups. The company adds: “In 2023, the ransomware landscape saw a major escalation in the frequency, scope, and volume of attacks.”
This includes how some ransomware groups are focusing on extracting payments north of $1 million, rather than merely in the six figures. In a tweet, Chainalysis’s head of threat intelligence Jackie Burns Koven noted: “The finding that perhaps most surprised me was that 75% of overall ransomware payment volume in 2023 is from payments of $1M or more.”
Hacking group CL0P also lifted the ransomware payments last year by exploiting a previously unknown vulnerability in MOVEit, a popular file-transfer service used across numerous businesses and governments.
“CL0P’s MOVEit campaign allowed it to become for a time the most prominent strain in the entire ecosystem, amassing over $100 million in ransom payments and accounting for 44.8% of all ransomware value received in June, and 39.0% in July,” Chainalysis said.
Ransomware payment data for 2023 also suggests new players are joining the crime spree, “attracted by the potential for high profits and lower barriers to entry,” Chainalysis says.
For example, one operation known as Phobos has been selling access to its ransomware strain to other hackers, making it easy for less sophisticated cybercriminals to conduct their own attacks. The result is a “force multiplier, enabling the strain to carry out a large quantity of these smaller attacks,” the company says.
In contrast, 2022 was likely an off year for ransomware because of Russia’s invasion of Ukraine, which disrupted the cyber activities of hackers living in both countries. In the same year, the FBI also infiltrated the Hive ransomware group and dismantled its operations.
In one positive sign, cybersecurity provider Coveware says its data shows that more victims are refusing to pay ransoms following a successful attack. Nevertheless, the report from Chainalysis shows that the ransomware threat persists.