In 2023, organizations saw a “major escalation” in the frequency, scope and volume of ransomware attacks, highlighting challenges in efforts by enterprise security teams and the U.S. government to curb the threat of ransomware overall.
A portion of a report released by Chainalysis on Wednesday recorded $1.1 billion in ransomware payments in 2023, a significant increase from the $567 million reported in 2022 and the highest number observed by the firm ever. The figure is reflective of an intense year for ransomware attacks, with threat actors leveraging zero-day flaws like the well-known vulnerability in the MOVEit file transfer software to target victims at a massive scale, and the growth of initial access brokers continuing to make it easier for ransomware groups to launch attacks.
“Given the proliferation of ransomware-as-a-service (RaaS), it's never been easier to conduct a ransomware attack, and many of the targets are hospitals, small businesses, and government agencies,” said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. “Investments in cybersecurity and security training can go a long way in protecting these organizations from devastating attacks. If an organization unfortunately falls victim to an attack, it is important to report it to law enforcement.”
Ransomware attacks and the ensuing fallout - including payments - involve several moving elements, and it’s difficult to capture the full impact. While the $1.1 billion in ransomware payments shows the total value received by ransomware actors in 2023, that number does not reflect the economic impact for targeted businesses, in terms of loss of productivity or the cost of remediation. The impact to organizations that did not pay the ransom is also not reflected here. As Chainalysis pointed out, when MGM Resorts International was hit by a ransomware attack in September, the organization did not pay - but it still revealed in a Form 8-K that the incident would cost approximately $100 million.
In 2022, the $567 million in ransomware payments received by attackers was considered a marked drop from the $983 million recorded in 2021. However, this past year shows that 2022 was an outlier as opposed to an continuing downward trend. Chainalysis said one factor here was the Russian-Ukraine conflict in 2022, which may have led threat actors to shift their goal from one of financial gain to more politically motivated attacks, impacting the ransomware market.
“Investments in cybersecurity and security training can go a long way in protecting these organizations from devastating attacks.”
At a high level, the U.S. government has been working to tackle the issue of ransomware through attempting to build closer partnerships with the private sector as well as imposing sanctions on ransomware group members. The latter measure in theory would help curb ransomware by barring companies from paying them. However, Chainalysis’ report outlines a significant hurdle: Cybercriminals are rebranding or using other types of ransomware, making it impossible to enforce the sanctions.
For instance, after the Treasury Department in 2022 imposed sanctions on Evil Corp members for their roles involving the Dridex malware, actors affiliated with this group stopped using Dridex as much and instead developed new ransomware families in order to obscure attribution.
“As we’ve covered previously, ransomware administrators often rebrand or launch new strains, while affiliates often switch strains or work for multiple simultaneously,” according to the report. "Rebrands often allow ransomware attackers to distance themselves from strains publicly linked to sanctions or that have incurred too much scrutiny. Rebrands and affiliate switching can also allow attackers to hit the same victims twice under different strain names.”
While the report showcases more high-impact ransomware incidents that leverage zero-day flaws, the adoption of baseline security practices among businesses - especially small and medium-sized ones - continues to be slow on the other end of the spectrum, as the Ransomware Task Force pointed out last year.
At the end of the day, the barrier to entry for cybercriminals is getting lower, and it’s making defenders’ jobs more difficult. But security leaders need to focus on what they can control, said Rick Holland, CISO at ReliaQuest. Holland said “extortion is typically opportunistic, so CISOs need to concentrate on making their organizations a hard target.” That includes maintaining a patch management plan, restricting network access, limiting who can access these services, and making sure robust logging and detection are in place, he said.
“As we saw over the summer, extortion headlines have given CISOs a unique opportunity,” said Holland. “A captive audience is interested in the cyber threat landscape. CISOs can use data from reports like these to better quantify the threat when communicating up the chain of command. Extortion victim data and narratives from the new SEC Form 10-K disclosures frame the impact of extortion well. CISOs can use this narrative to justify their prioritization and investment strategies.”