For many organizations and startups, 2023 was a rough year financially, with companies struggling to raise money and others making cuts to survive. Ransomware and extortion gangs, on the other hand, had a record-breaking year in earnings, if recent reports are anything to go by.
It’s hardly surprising when you look at the state of the ransomware landscape. Last year saw hackers continue to evolve their tactics to become scrappier and more extreme in efforts to pressure victims into paying their increasingly exorbitant ransom demands. This escalation in tactics, along with the fact that governments have stopped short of banning ransom payments, led to 2023 becoming the most lucrative year yet for ransomware gangs.
The billion-dollar cybercrime business
According to new data from crypto forensics startup Chainalysis, known ransomware payments almost doubled in 2023 to surpass the $1 billion mark, calling the year a “major comeback for ransomware.”
That’s the highest figure ever observed, and almost double the amount of known ransom payments tracked in 2022. But Chainalysis said the actual figure is likely far higher than the $1.1 billion in ransom payments it has witnessed so far.
There’s a glimmer of good news, though. While 2023 was overall a bumper year for ransomware gangs, other hacker-watchers observed a drop in payments toward the end of the year.
This drop is a result of improved cyber defenses and resiliency, along with the growing sentiment that most victim organizations don’t trust hackers to keep their promises or delete any stolen data as they claim. “This has led to better guidance to victims and fewer payments for intangible assurances,” according to ransomware remediation company Coveware.
Record-breaking ransoms
While more ransomware victims are refusing to line the pockets of hackers, ransomware gangs are compensating for this drop in earnings by increasing the number of victims they target.
Take the MOVEit campaign. This huge hack saw the prolific Russia-linked Clop ransomware gang mass-exploit a never-before-seen vulnerability in the widely used MOVEit Transfer software to steal data from the systems of more than 2,700 victim organizations. Many of the victims are known to have paid the hacking group in efforts to prevent the publication of sensitive data.
While it’s impossible to know exactly how much money the mass-hack made for the ransomware group, Chainalysis said in its report that Clop’s MOVEit campaign amassed over $100 million in ransom payments, and accounted for almost half of all ransomware value received in June and July 2023 during the height of this mass-hack.
MOVEit was by no means the only money-making campaign of 2023.
In September, casino and entertainment giant Caesars paid roughly $15 million to hackers to prevent the disclosure of customer data stolen during an August cyberattack.
This multimillion-dollar payment perhaps illustrates why ransomware actors continue to make so much money: the Caesars attack barely made it into the news, while a subsequent attack on hotel giant MGM Resorts — which has so far cost the company $100 million to recover from — dominated headlines for weeks. MGM’s refusal to pay the ransom led to the hackers’ release of sensitive MGM customer data, including names, Social Security numbers and passport details. Caesars — outwardly at least — appeared largely unscathed, even if by its own admission could not guarantee that the ransomware gang would delete the company’s stolen data.
Escalating threats
For many organizations, like Caesars, paying the ransom demand seems like the easiest option to avoid a public relations nightmare. But as the ransom money dries up, ransomware and extortion gangs are upping the ante and resorting to escalating tactics and extreme threats.
In December, for example, hackers reportedly tried to pressure a cancer hospital into paying a ransom demand by threatening to “swat” its patients. Swatting incidents rely on malicious callers falsely claiming a fake real-world threat to life, prompting the response of armed police officers.
We also saw the notorious Alphv (known as BlackCat) ransomware gang weaponize the U.S. government’s new data breach disclosure rules against MeridianLink, one of the gang’s many victims. Alphv accused MeridianLink of allegedly failing to publicly disclose what the gang called “a significant breach compromising customer data and operational information,” for which the gang took credit.
No ban on ransom payments
Another reason ransomware continues to be lucrative for hackers is that while not advised, there’s nothing stopping organizations paying up — unless, of course, the hackers have been sanctioned.
To pay or not to pay the ransom is a controversial subject. Ransomware remediator Coveware suggests that if a ransom payment ban was imposed in the U.S. or any other highly victimized country, companies would likely stop reporting these incidents to the authorities, reversing past cooperation between victims and law enforcement agencies. The company also predicts that a ransom payments ban would lead to the overnight creation of a large illegal market for facilitating ransomware payments.
Others, however, believe a blanket ban is the only way to ensure ransomware hackers can’t continue to line their pockets — at least in the short term.
Allan Liska, a threat intelligence analyst at Recorded Future, has long opposed banning ransom payments — but now believes that for as long as ransom payments remain lawful, cybercriminals will do whatever it takes to collect them.
“I’ve resisted the idea of blanket bans on ransom payments for years, but I think that has to change,” Liska told TechCrunch. “Ransomware is getting worse, not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them.”
“A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short-term increase in ransomware attacks, but it seems like this is the only solution that has a chance of long-term success at this point,” said Liska.
While more victims are realizing that paying the hackers cannot guarantee the safety of their data, it’s clear that these financially motivated cybercriminals aren’t giving up their lavish lifestyles anytime soon. Until then, ransomware attacks will remain a major money-making exercise for the hackers behind them.
Read more on TechCrunch:
Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threat