Fraud Management & Cybercrime , Ransomware

Record-Breaking Ransomware Profits Surpassed $1B in 2023

Ongoing Innovation and Sophistication Drive Unparalleled Profits
Record-Breaking Ransomware Profits Surpassed $1B in 2023
Happy days are here again - if you're a ransomware hacker. (Image: Shutterstock)

Unwelcome news from the ransomware frontlines: Attackers are continuing to innovate and have launched more sophisticated attacks, collectively storming their way to over $1 billion in annual profits.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

Last year marked "a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks," says a new report from blockchain analytics firm Chainalysis, which calls the rise in ransomware a "significant reversal from the decline observed in 2022." That year was "an anomaly, not a trend," Chainalysis said.

In 2023, "ransomware actors intensified their operations, targeting high-profile institutions and critical infrastructure, including hospitals, schools and government agencies" and increasingly targeted larger organizations. Over 70% of ransom payments involved a payment of $1 million or more, according to the report.

Total Value Received by Ransomware Attackers

2019 2020 2021 2022 2023
$220 million $905 million $983 million $567 million $1.1 billion
These numbers may change as fresh intelligence comes to light. (Source: Chainalysis)

Expect the figure of $1.1 billion known to be paid by victims to ransomware groups last year to increase, in part because no one has an omniscient view of the cybercrime ecosystem. Over time, new connections can emerge that tie individual criminals or groups to specific blockchain addresses, sometimes thanks to law enforcement disruptions or arrests.

At this time last year, Chainalysis said it had tracked $457 million paid in ransoms by victims in 2022. Since then, additional intelligence has come to light, and the firm has revised its initial, "conservative" 2022 total upward by 24%, so far.

Twelve months ago, things looked rosier. Known 2022 ransomware profits had just taken a big dip from prior years. That most welcome decline came on the heels of coordinated efforts by the White House and allies to target and disrupt ransomware operators, backed by diplomacy, as well as a focus on bolstering public and private sector business resilience, to repel more attacks outright.

Also in 2022, the FBI's infiltration of the Hive operation took a big bite out of ransomware payments flowing to the group thanks to the bureau quietly giving 1,300 victims a free decryptor. The FBI estimates it prevented $130 million from being paid by victims to Hive.

But top-flight ransomware groups are experts at innovation, and 2023 was no exception. The Clop - aka Cl0p - group, launched a more refined version of its supply chain attacks that targeted users of secure file-sharing servers. In a late May 2023 attack, the group exploited a zero-day vulnerability in the widely used MOVEit file-sharing platform made by Progress Software. Instead of crypto-locking the servers, the attackers stole data being stored on them and used the threat of leaking that information to extort victims. In some cases, the group did leak stolen data, though much of it remained relatively inaccessible.

Clop's attack campaign appears to have only lasted a few days. Progress Software quickly issued a security alert and patch. Even so, the group earned over $100 million in ransom payments, and last year it accounted for "44.8% of all ransomware value received in June, and 39.0% in July," Chainalysis' report says.

The latest count from security firm Emsisoft is that Clop's campaign directly or indirectly affected over 2,750 organizations, resulting in the exposure of over 94 million individuals' personal information.

That was just one campaign last year, run by a single group.

Emsisoft last month reported seeing a jump from 2022 to 2023 in the number of confirmed, successful ransomware attacks against U.S. targets, which surged from 220 to a record-setting 321 victim organizations, not counting Clop's MOVEit campaign.

At the same time, the number of banners being flown by ransomware groups has increased, according to Allan Liska, a threat intelligence analyst at threat intelligence firm Recorded Future. "A major thing we're seeing is the astronomical growth in the number of threat actors carrying out ransomware attacks," he told Chainalysis, pointing to 538 different ransomware variants that appeared in 2023, sometimes wielded by new or independent groups (see: New Entrants to Ransomware Unleash Frankenstein Malware).

While ransomware groups might come and go - or rebrand, many of the players remain the same, experts say. "Top-tier ransomware groups have an interesting flaw: They change radically, operationally, logistically, structurally and strategically, but they draw from the same small pool of individuals - 200 or maybe 300 actors are essentially the backbone of all of today's ransomware APTs," Yelisey Bohuslavskiy, chief research officer at New York-based threat intelligence firm Red Sense, recently told Information Security Media Group.

Bohuslavskiy said disrupting ransomware operations carried opportunity costs for practitioners because it causes fatigue and can create divisions between affiliates and groups.

Data from Chainalysis also suggests that disruptions have a measurable impact. Compared to the FBI's estimate that its infiltration prevented $130 million from flowing into Hive's coffers, "we believe the Hive infiltration may have averted at least $210.4 million in ransomware payments," thanks to "knock-on effects," the firm said. "The Hive infiltration also most likely affected the broader activities of Hive affiliates, potentially lessening the number of additional attacks they could carry out."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.