2023 Ransomware Payments Hit $1.1B Record

It seemed that the tide had turned in the ransomware landscape in 2022. Reports showed a declining numbers of attacks and more victims refusing to pay. But in 2023, ransomware activity surged. Ransomware gangs successful extorted a record $1.1 billion in cryptocurrency payments from victims, according to a report from blockchain analysis firm Chainanalysis.

What factors drove the upswing in ransomware activity? And following a year of record payments, what can enterprise security leaders expect in the ransomware landscape of 2024?

The Top Threat Actors

Ransomware remains a lucrative business for cybercriminals, and the barrier to entry is relatively low. Threat actors can seek easily exploitable vulnerabilities or opt to pay for ransomware-as-a-service. While the volume of attacks is significant, several notorious groups take the lead as repeat offenders.

“LockBit we see … almost 25% of all ransomware attacks are from that group,” Jonathan Braley, director of threat intelligence at the Information Technology-Information Sharing and Analysis Center (IT-ISAC), tells InformationWeek. “So, every week we’re seeing 10 to a dozen attacks coming just from LockBit.”

Taiwan Semiconductor Manufacturing Company (TSMC) and IT products and services company CDW were among LockBit’s victims in 2023. The group demanded $70 million from TSMC and $80 million from CDW. In 2024, the group claimed responsibility for attacks on Saint Anthony Hospital and Lurie Children’s Hospital in Chicago.

Related:China's Volt Typhoon Found Lurking in Critical Infrastructure for Years

The Clop Ransomware Gang was also a big player last year. The group was linked to the MOVEit breach, which impacted thousands of organizations and millions of people, according to software company Emsisoft.

ALPHV/Blackcat was another prominent player in 2023. The group made waves in the fall when it reported one of its breach victims to the US Securities and Exchange Commission (SEC) for not disclosing the breach. In December, the Justice Department announced that the FBI developed and offered a decryption tool to more than 500 ALPHV/Black Cat victims. The disruption campaign saved victims approximately $68 million in ransom demands.

“You’re seeing some wins on the law enforcement side to help to degrade the ability of these groups to operate there effectively as they have been,” says Craig Hoffman, partner and cybersecurity team leader at law firm BakerHostetler.

While law enforcement works to disrupt ransomware activity, threat actors continue to evolve.

“Originally, when ransomware started it was quite disjointed, but I believe that the actors have become more streamlined. I think they’re working closer together,” Andrew Costis, chapter lead of the adversary research team at AttackIQ, a security optimization platform, shares.

Related:Expect the Unexpected: How to Reduce Zero-Day Risk

Threat actors are also increasingly leveraging data exfiltration as a means of extortion and profit: pushing companies to pay ransoms to prevent publication of sensitive data or selling that sensitive data.

Richard Caralli, senior cybersecurity advisor at Axio, a cybersecurity performance management company, points out that major cyberattacks on companies like MGM and 23andMe in 2023 involved data exfiltration. “It’s far more lucrative for these groups on the dark web, selling it or using it for future attacks, than I think we’re giving them credit for,” he says.

The Popular Attack Vectors

Ransomware groups do not necessarily need to pursue the most sophisticated techniques to gain access and exploit their victims. Social engineering and phishing tactics have proved effective. “We’re not giving enough attention to the basic fundamental practices and fundamental controls,” says Caralli.

Threat actors are also exploiting zero-day vulnerabilities, like the one in the MOVEit file transfer tool, to execute ransomware attacks.

Related:Sign Up for InformationWeek's New Cyber Resilience Newsletter

While ransomware groups are more than happy to pick the low-hanging fruit, they are also finding new ways to execute their attacks.

“They’re switching to different programming languages, so using things like Rust,” Braley explains. “They can go after macOS, they can go after Linux. They can go after potentially even some of these mobile operating systems as well.”

Threat actors are also leveraging more advanced social engineering tactics, according to Costis. “So, for example, multifactor authentication [MFA] fatigue attacks or SMS phishing rather than traditional email phishing. Obviously, AI and generative AI are starting to play into this as well,” he says.

The Worst-Hit Ransomware Victims

Ransomware groups are financially motivated; their activity tends to be opportunistic.

“If you’re connected to the internet and you use a VPN that bad guys know to be vulnerable, they will just scan the internet look for that VPN,” says Hoffman. “In a way, they don’t care who they find as long as they find someone they can attack that [becomes] someone who might pay them.”

Ransomware attacks are reported in many different sectors, ranging across finance, health care, education, government, and more. IT-ISAC tracks ransomware activity across critical US sectors. “Critical manufacturing is typically number one, sitting around 15 percent,” says Braley.

Critical infrastructure victims may be more likely to pay because they cannot afford downtime, and they offer threat actors the tantalizing possibility of valuable data. “I think we might start seeing more targeted ransomware attacks … in the future,” says Costis.

In December 2023, a group affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) hacked a municipal water authority in Pennsylvania. The month prior, a water utility in Texas was hit with a ransomware attack.

“To some degree, that is about disrupting operations and putting fear out there,” says Caralli.

A Continuing Trend

In 2024 thus far, Comparitech has tracked more than 60 ransomware attacks across the business, education, government, and healthcare sectors. Braley shares that IT-ISAC has seen 185 attacks in January, up from 120 attacks last January. What could enterprise leaders expect to see as ransomware activity continues?

Dual ransomware is a growing concern. “No sooner has a company paid out a ransom and then they’ll get infected by a different variant. So, we might see an uptick in that,” says Costis. Threat actors will likely continue to execute social engineering campaigns and look for zero-day vulnerabilities to exploit. The increasing use of AI could power more sophisticated attacks. Ransomware groups may also increasingly target hypervisors.

“If groups start focusing more on virtual environments -- and those are sometimes less hardened than other parts of a company’s network -- you may see, at least temporarily until companies adapt, more impactful ransomware events,” says Hoffman.

Public company compliance with the SEC’s cybersecurity incident reporting rule that went into effect in December 2023 may shed more light on ransomware activity. More visibility and continued threat actor activity could mean that we will see a new record amount of known victim payments. “I would not be shocked if we get another report by the end of the year or this time next year with a much higher … figure,” says Costis.

Yet, there is hope for enterprises and the cybersecurity community. Basic cyber hygiene, patch management, and access control can go a long way toward mitigating the risk of ransomware. “We should see companies being more resilient and needing to pay less often,” says Hoffman.

While 2023 was a record year for ransomware payments, Hoffman shares a positive trend seen in his work. “In 2022, in our ransomware matters, our clients paid about 40% of the time, and that was kind of split between our smaller clients paying for a decryptor and our larger clients paying to prevent publication,” Hoffman shares. “In 2023, we dropped; our clients paid about 25% of the time.”