Ransomware gangs have extorted $449 million this year: Chainalysis

Ransomware gangs have operated at a near-record profit in the first six months of the year, extorting more than $449 million from victims, according to blockchain research firm Chainalysis.

The figure likely pales in comparison to the actual totals because the research only looks at cryptocurrency wallets being monitored by the firm

If the trends continue, ransomware groups are on pace to bring in nearly $900 million in 2023, only $40 million behind the peak of $939.9 million seen in 2021.

Eric Jardine, cybercrimes research lead at Chainalysis, told Recorded Future News that a number of factors are contributing to ransomware’s resurgence rather than one specific driver, including the return of “big game hunting” — where ransomware gangs target large corporations in the hopes of garnering massive ransoms.

Jardine added that the effects of the Russia-Ukraine War — which experts believe caused the relative dip in ransom earnings in 2022 — are largely fading away as ransomware gangs get back to their typical level of activity. Chainalysis noted that groups like Cuba ransomware were forced to pivot from attacks for financial gain to others involving espionage and Ukraine-specific targets.

“The conflict likely displaced ransomware operators and diverted them away from financially inspired cyber intrusions,” he said.

Ransomware revenue plummeted in 2022 compared to 2021, with fewer large scale attacks on massive companies. But the gangs have bounced back in 2023, increasing the number of attacks on “large, deep-pocketed organizations,” as well as smaller companies.

Charts from Chainalysis show increases both in the number of payments under $1,000 as well as payments over $100,000.

“The payment size distribution has also extended to include higher amounts compared to previous years. In other words, we’re seeing growth in ransomware payments at both ends of the spectrum,” the researchers said.

The company also tracked payment size based on ransomware group, finding that gangs like Dharma and Djvu saw average ransom payment sizes of $265 and $619 respectively.

Groups like Clop, AlphV/Black Cat and Black Basta saw average payments hovering above $750,000 and into the millions. Clop led the way with an average payment size of $1.73 million and a median payment size of $1.94 million. The gang is currently making waves globally with its attacks through the popular MOVEit software, allowing them to steal data and extort hundreds of organizations.

Dharma and Phobos are considered low-level ransomware-as-a-service strains that are often used in “pray and spray” attacks against smaller companies. The ransomware strains are typically used by less sophisticated hackers as opposed to groups like BlackBasta and Clop, which target larger organizations.

Chainalysis’ report includes assessments from incident response firm Kivu, which corroborated their findings about the growth in payment sizes in 2023.

“These notable shifts in figures directly align with the growing number of extremely high initial demands, ranging in the tens and hundreds of millions of USD,” said Kivu general counsel and risk officer Andrew Davis.

Davis said the 2022 trend of many organizations simply refusing to pay ransoms has continued, but it has had a knock-on effect in 2023 of ransomware gangs increasing the size of their demands in attacks on organizations they know are willing to pay.

SafeBreach CISO Avishai Avivi said that while attacks on larger companies increased in 2023, he foresees these types of attacks eventually decreasing — as was seen last year — because more companies will realize the benefit of preparing for attacks in advance instead of spending millions to pay ransoms.

“As cyber insurance companies start declining coverage for ransomware-based losses, these organizations are more likely to invest in a more advanced security portfolio and validate that it can withstand even the newest ransomware attacks," Avivi said.

The figures back up the findings of several other cybersecurity firms, which have seen increases in the number of reported attacks and victims posted to ransomware leaks sites.