DHS: Ransomware attackers headed for second most profitable year

Ransomware attackers remain a major threat to the United States and are on pace to have their second most profitable year ever, the Department of Homeland Security said in an annual report.

The findings were part of the department’s 2024 Homeland Threat Assessment report released last week, which outlined a range of issues related to foreign and domestic terrorism, illegal drugs, misinformation, transnational crime and activity by the governments of Russia, China and Iran.

The report — which DHS officials said will now “serve as the primary mechanism for sharing the terrorism threat level” — dedicated an entire section to cyber threats and ransomware due to the increasing toll they take on U.S. hospitals, schools and businesses.

“Ransomware attackers extorted at least $449.1 million globally during the first half of 2023 and are expected to have their second most profitable year. This is due to the return of ‘big game hunting’ – the targeting of large organizations – as well as cyber criminals’ continued attacks against smaller organizations,” DHS said.

“Ransomware actors continue to target a variety of victims, almost certainly reflecting malicious cyber actors’ target refinement to entities perceived as the most vulnerable or likely to pay a ransom.”

The report notes that the number of known ransomware attacks in the U.S. increased by 47% from January 2020 to December 2022. Last year, ransomware gangs adopted several new tactics, including “intermittent encryption” which allows gangs to encrypt systems faster and reduce the chances of being detected, DHS explained.

Officials referenced the spate of attacks on K‑12 school districts since the return to school in August, noting that schools have been a “near constant ransomware target due to school systems’ IT budget constraints and lack of dedicated resources, as well as ransomware actors’ success at extracting payment from some schools that are required to function within certain dates and hours.”

Financially-motivated hackers will continue to “impose significant financial costs on the US economy” in the next year as ransomware gangs continue to target critical infrastructure.

“Ransomware groups that target US networks, infrastructure, and proprietary information are developing new methods to improve their ability to financially extort victims,” DHS explained.

“These groups have increased their use of multilevel extortion, in which they encrypt and exfiltrate their targets’ data and typically threaten to publicly release stolen data, use DDoS attacks, or harass the victim’s customers to coerce the victim to pay.”

The DHS found that the average business needs at least 22 days to recover and resume operations after a ransomware attack. Startlingly, ransomware recovery “frequently costs 50 times more than the ransom demand.”

Several ransomware experts tracking incidents said the DHS figures and findings meshed with their research. Recorded Future senior security architect Allan Liska noted that data from security firm Coveware backed up the DHS’ assessment that big-game hunting — where ransomware gangs target large companies — has returned after a relative dip following Russia’s invasion of Ukraine. The Record is an editorially independent unit of Recorded Future.

“According to Coveware the median ransom payment for the 1st half of 2023 was $158,076 That works out to about 2,850 victims, which is completely reasonable. During the first half of 2023, Recorded Future identified 2,104 victims posted to extortion sites, and we know only a fraction of victims make it to extortion sites,” Liska said.

“If you go by average payment, it is even more reasonable: 1,370 paid victims. It is impossible to know for sure, but I think only about 1/3 make it to leak sites (not saying 2/3rds pay).”

DHS’ findings mirror those of blockchain analysis firm Chainalysis, which also reported in July that ransomware gangs had brought in at least $449.1 million from January to June 2023. They estimated ransomware gangs will extort nearly $900 million in 2023, trailing only 2021’s $939.9 million.

Data around ransomware attacks and payments continues to be a struggle for both the government and security firms trying to understand whether attacks are increasing or decreasing.

Jen Easterly, director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA), lamented the lack of data last month but argued that coming incident reporting rules will help provide clarity on ransomware trends.

Emsisoft ransomware expert Brett Callow said the lack of transparency and reporting requirements makes ransomware difficult to track, but said the data that is available outlines a clear trend.

“It appears that fewer orgs are paying but those that do pay pay more,” he said.

2024 targets

The 38-page report also raised concerns about nation-state attacks from Russia, China and Iran on the 2024 election, including misinformation and direct attacks on election-related networks and data at the state and federal level.

Hackers will likely target the networks, personal devices and e-mail accounts of election officials as well as political parties, the agency warned. Russia, China and Iran are “likely to use AI technologies to improve the quality and breadth of their influence operations targeting US audiences.”

DHS is most concerned about misconfigured or vulnerable public‑facing websites, web servers, and election‑related information technology systems — alongside more traditional attacks involving spear‑phishing and smishing.

The report specifically highlights Russian espionage attacks on federal and state governments, as well as Chinese government targeting of ports.

DHS also warned that critical infrastructure continues to face distributed denial‑of‑service (DDoS), website defacement, and ransomware attacks by groups like Killnet and others.

Hackers are also testing out the capabilities of AI-developed malware and AI-assisted software development – which they said may help groups launch “larger scale, faster, efficient, and more evasive cyber attacks – against targets, including pipelines, railways, and other US critical infrastructure.”

“Adversarial governments, most notably the PRC, are developing other AI technologies that could undermine US cyber defenses, including generative AI programs that support malicious activity such as malware attacks,” DHS said.