In case you thought ransomware was a fad that faded out, think again. Research firm Chainalysis published its annual crime report showing they counted $1.1 billion dollars in ransomware payments made to ransomware gangs in 2023. One reason why this number is more credible than anecdotal evidence is Chainalysis tracks payments across blockchains, which are publicly visible and also almost exclusively the way ransomware gangs demand payment through Bitcoin and other digital currencies.
This massive payout follows a down year in 2022 attributed to the distraction of eastern European cyber gangs to the war in Ukraine. In particular, prolific ransomware gang Conti was disbanded over diverging loyalties to Russian and Ukraine.
There were two big drivers of the big increase in ransomware payments. First was targeting firms that were particularly vulnerable to the inability to tolerate a crippling ransomware attack while also having the ability to pay larger ransomware sums. Examples of these firms include hospitals where life and death depends on networks operating and financial services firms that must continue to trade and manage assets or risk losing the faith and trust of their customers.
The second big driver was the emergence of the C10p ransomware gang and publicly exposed vulnerabilities such as the MOVEit file transfer web application that was susceptible to exploitation by cyber criminals. MOVEit ransomware attacks affected over 62 million people and over $100M in ransomware payments attributed to C10p.
Given this resurgence of ransomware in 2023 what can we expect in 2024? In short, more ransomware attacks. Ransomware constitutes a low-risk, high payout crime, which means it will attract more new actors into the industry. What MOVEit demonstrated is externally facing attack surfaces are rich and ripe for the taking. We expect more vulnerabilities both externally facing and behind the firewall as well as account takeover attacks will contribute to more successful ransomware campaigns this year.
While the cyber insurance industry tends to lag attacks in instituting new controls, we can expect new cyber insurance requirements are coming down the pike to minimize attack surfaces and raise the bar on security controls.
See https://www.wired.com/story/ransomware-payments-2023-breaks-record/ for more analysis.