With half of 2023 over, ransomware gangs have operated at a near-record profit, extorting more than $449 million from victims, according to blockchain research firm Chainalysis. The figure likely pales in comparison to the actual totals because the research only looks at cryptocurrency wallets being monitored by the firm. If the trends continue, ransomware groups are on pace to bring in nearly $900 million in 2023, only $40 million behind the peak of $939.9 million seen in 2021.
Chainalysis reported that several factors are contributing to ransomware’s resurgence rather than one specific driver, including the return of “big game hunting,” where ransomware gangs target large corporations in the hopes of garnering massive ransoms.[1]
Jardine added that the effects of the Russia-Ukraine War, which experts believe caused the relative dip in ransom earnings in 2022, are largely fading away as ransomware gangs get back to their typical level of activity. Chainalysis noted that groups like Cuba ransomware were forced to pivot from attacks for financial gain to others involving espionage and Ukraine-specific targets. “The conflict likely displaced ransomware operators and diverted them away from financially inspired cyber intrusions,” they said.
Ransomware revenue plummeted in 2022 compared to 2021, with fewer large scale attacks on massive companies. But the gangs have bounced back in 2023, increasing the number of attacks on “large, deep-pocketed organizations,” as well as smaller companies.
Charts from Chainalysis show increases both in the number of payments under $1,000 as well as payments over $100,000. “The payment size distribution has also extended to include higher amounts compared to previous years. In other words, we’re seeing growth in ransomware payments at both ends of the spectrum,” the researchers said.
The company also tracked payment size based on ransomware group, finding that gangs like Dharma and Djvu saw average ransom payment sizes of $265 and $619 respectively.
Groups like Cl0p, Alphv/Black Cat and Blast Basta saw average payments hovering above $750,000 and into the millions. Cl0p led the way with an average payment size of $1.73 million and a median payment size of $1.94 million. The gang is currently making waves globally with its attacks through the popular MOVEit software, allowing them to steal data and extort hundreds of organizations.
Dharma and Phobos are considered low-level ransomware-as-a-service strains that are often used in “pray and spray” attacks against smaller companies. The ransomware strains are typically used by less sophisticated hackers as opposed to groups like Black Basta and Cl0p, which target larger organizations.
Chainalysis’ report includes assessments from incident response firm Kivu, which corroborated their findings about the growth in payment sizes in 2023. “These notable shifts in figures directly align with the growing number of extremely high initial demands, ranging in the tens and hundreds of millions of USD,” said the Kivu general counsel and risk officer. He said the 2022 trend of many organizations simply refusing to pay ransoms has continued, but it has had a knock-on effect in 2023 of ransomware gangs increasing the size of their demands in attacks on organizations they know are willing to pay.
SafeBreach CISO said that while attacks on larger companies increased in 2023, he foresees these types of attacks eventually decreasing, as was seen last year, because more companies will realize the benefit of preparing for attacks in advance instead of spending millions to pay ransoms. “As cyber insurance companies start declining coverage for ransomware-based losses, these organizations are more likely to invest in a more advanced security portfolio and validate that it can withstand even the newest ransomware attacks," he said.
The figures back up the findings of several other cybersecurity firms, which have seen increases in the number of reported attacks and victims posted to ransomware leaks sites.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://therecord.media/ransomware-gangs-extorted-record-amounts/
Comments