Companies, individuals and other victims of ransomware attacks paid hackers more than $1.1 billion in 2023 in exchange for unlocking their data, according to new research.

Chainalysis — a blockchain research firm that analyzes transactions made by ransomware gangs, affiliates and other cybercriminals — released a report this morning finding that ransom payments broke records in 2023 thanks to a variety of factors.

Researchers saw just $567 million in ransom payments in 2022 — a decrease from the previous year which was attributed to the Russian-Ukrainian conflict and a fear of sanctions risks with payments. Several ransomware gangs were either forced to shift to espionage or destructive activities concerning Ukraine, while revelations of ties to the Russian state spooked some victims worried about fines related to U.S. sanctions.

But 2023 saw ransomware actors get back to business, intensifying their operations and targeting high-profile institutions and critical infrastructure like hospitals, schools, and government agencies.

Gangs also exploited zero-day vulnerabilities, like the one connected to ubiquitous file transfer software MOVEit, and made millions of dollars from the bugs.

“2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022,” Chainalysis researchers said.

The figures used by Chainalysis are likely conservative estimates because they do not have access to all of the cryptocurrency wallets used by ransomware gangs. As an example, they noted that the ransom payment figures for 2022 grew from $457 million to $567 million as they discovered more cryptocurrency wallets connected to ransomware actors.

‘2023 was a disaster year’

Several trends stood out to Chainalysis and other ransomware experts who looked through their data.

Multiple ransomware gangs continued with the “big game hunting” strategy that focused on large companies and organizations likely to pay exorbitant ransoms. The Clop ransomware gang made more than $100 million from its exploitation of the MOVEit vulnerability, in part because it automated attacks on a mass of victims, many of which quickly paid to avoid scrutiny.

Clop’s attacks were so successful that they accounted for nearly 45% of all ransom payments made in June.

Chainalysis said big game hunting has become the dominant strategy over the last few years, with “a bigger and bigger share of all ransomware payment volume being made up of payments of $1 million or more.”

Other gangs are using the ransomware-as-a-service (RaaS) model to rapidly expand their operations — offering less skilled hackers simple tools to launch attacks.

The researchers noted that their work has been made more difficult in part because groups have had to move to new money laundering services after several law enforcement actions took down popular mixing services and cash-out platforms.

Recorded Future ransomware expert Allan Liska said Chainalysis’ findings confirmed his own data, which tracked a 70% jump in publicly reported ransomware attacks between 2022 and 2023.

Liska was quoted in the report because of his work tracking the rapid expansion of the number of active ransomware groups.

Liska said Recorded Future tracked 538 new ransomware variants in 2023. Both small and well-resourced operations are emerging and launching attacks on victims, according to Liska. The Record is an editorially independent unit of Recorded Future.

Chainalysis noted that several groups have rebranded — using overlapping strains as a way around sanctions and other law enforcement scrutiny. Chainalysis noted that their blockchain analysis shows that many groups continue using the same cryptocurrency wallets, making it easy to track groups.

An example is the Royal ransomware group, which took credit for the devastating attack on the city government of Dallas. Blockchain links show that the same hacker is behind Royal and a new ransomware gang known as 3am.

Liska said that in the end, 2023 “was a disaster of a year for ransomware.”

“This is despite the fact that there is an ongoing cross-governmental and organizational effort to combat ransomware. But, right now it seems like with every step forward we take in combating ransomware, the ransomware groups are taking two,” he said.

“Unfortunately, I also don't see a slowdown in ransomware attacks in 2024. It is simply too profitable, as the Chainalysis report shows, and there are too many cybercriminals (and some nation states) that are making too much money by carrying out ransomware attacks.”