Criminals made off with a staggering $1 billion in cryptocurrency ransomware payments in 2023, per the latest insights from Chainalysis’ 2024 “Crypto Crime Report.”
The report highlights a surge in sophisticated attacks targeting high-profile institutions and critical infrastructure, with significant supply chain breaches occurring through widely-used file transfer software MOVEit. Notable victims included household names like the BBC and British Airways, emphasizing the far-reaching impact of these cyber assaults.
Ransomware Payments Surge in 2023 Despite Previous Year’s Decline
The surge in ransomware payments in 2023 represents a stark reversal from the decline observed in 2022. The previous year’s decrease in ransomware activity was attributed to various factors, including geopolitical events such as the Russian-Ukrainian conflict, which shifted cyber actors’ focus towards politically motivated cyberattacks.
The FBI’s infiltration of Hive prevented approximately $130 million in ransom payments and significantly altered the ransomware landscape in 2022. Statistical models estimate that the Hive intervention may have averted at least $210.4 million in ransomware payments during the six months of FBI infiltration.
One contributing factor to the resurgence of ransomware in 2023 was the escalation in the frequency, scope, and volume of attacks. Various actors carried out these attacks, ranging from individuals and small criminal groups to large syndicates.
Chainalysis, drawing insights from cybersecurity firm Recorded Future, documented 538 new ransomware variants in 2023, illustrating the dynamic landscape of criminal strategies. The report sheds light on ransomware groups like CL0P, employing a “big game hunting” approach and leveraging zero-day vulnerabilities to extort large payments from deep-pocketed victims through data exfiltration.
Ransomware groups like Phobos are capitalizing on a lucrative business model called Ransomware-as-a-Service (RaaS). This scheme allows criminal affiliates access to sophisticated malware to execute attacks, with the core operators reaping a percentage of the ransom proceeds.
According to Chainalysis, this model primarily targets smaller entities with lower ransom demands, banking on the volume of smaller attacks to amplify financial gains.
Moreover, ransomware attackers are adept at rebranding and creating overlapping strains to distance themselves from past identifications linked to sanctions and law enforcement investigations. Chainalysis utilizes blockchain analysis to illustrate on-chain connections between wallets associated with ransomware strains.
Ransomware-as-a-Service Model Thrives as Cyber Threats Evolve
One significant contributing factor to high-impact ransomware incidents in 2023 was the exploitation of zero-day vulnerabilities. These attacks exploit security weaknesses in a company’s services, systems, products, or applications before developers can patch them.
An illustrative case of this was CL0P’s exploitation of the file transfer software MOVEit in 2023. MOVEit, widely used in IT and cloud applications, exposed the data of hundreds of organizations and millions of users. This campaign propelled CL0P to the forefront of the ecosystem, culminating in over $100 million in ransom payments in June and July 2023 alone, accounting for nearly half of the total ransomware value.
The proliferation of ransomware attacks was further enabled by the rise of Initial Access Brokers (IABs), who sell access to potential victims’ networks to ransomware attackers. Chainalysis discovered a correlation between funds flowing into IAB wallets and increased ransomware payments, suggesting that monitoring IABs could offer early indicators for potential intervention and mitigation of attacks.
The movement of ransomware funds provided insights into the methods and services used by threat actors for laundering proceeds. The combination of IABs and readily available Ransomware-as-a-Service (RaaS) platforms has lowered the technical barrier for conducting successful attacks, according to the findings of the on-chain sleuth firm.
While centralized exchanges and mixers remained popular, new services like bridges, instant exchangers, and gambling services saw increased adoption, possibly due to disruptions in preferred laundering methods and stricter AML/KYC policies.
According to the report, despite the challenges posed by ransomware, 2023 also saw significant victories in the fight against it, with collaboration between international law enforcement, affected organizations, cybersecurity firms, and blockchain intelligence.
Proactive engagement from law enforcement agencies, exemplified by the Hive takedown and the disruption of BlackCat, demonstrated a stronger, more determined approach to aiding victims and tracking down cybercriminals.