Ransomware attacks grew larger in scope and more complex last year, resulting in record high payments that defied the previous year's lull.
Chainalysis said this shows the previous year was more of an aberration than a new normal, fueled by geopolitical factors such as the Russian invasion of Ukraine. This conflict not only disrupted operations for certain actors, but the remaining ones shifted their focus from financial gain to politically motivated cyberattacks that steal information and wreak havoc. Other factors at play included a reluctance among western entities to pay ransoms to groups due to potential sanction risks, as some are linked to Russian intelligence agencies. There were also successful high-profile operations against the Hive ransomware network.
This was only a temporary lull, however, as ransomware attacks have since come roaring back. There were 538 new ransomware variants in 2023, pointing to the rise of new, independent groups. Ransoms have also been growing bigger; the analysis found that cybercriminals have increasingly preferred to go after a smaller number of higher value targets versus large numbers of low-value ones. This strategy, which is termed "big game hunting" in their world, had been growing more popular over the last few years and, over 2023, grew more popular still.
The report also pointed to the rise of, effectively, ransomware-as-a-service type networks where outsiders known as affiliates can access the malware to carry out attacks, and in exchange pay the strain's core operators a cut of the ransom proceeds. This means a lower barrier to entry for less sophisticated players, which means a much greater quantity of attacks can be launched.
The analysis also noted the rise of what's called Initial Access Brokers, who penetrate the networks of potential victims, then sell that access to ransomware attackers for as little as a few hundred dollars. There is a correlation between inflows to IAB wallets and an upsurge in ransomware payments, suggesting that monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks.
Finally, it has become easier to launder ill-gotten cryptocurrency. While centralized exchanges and mixers have been a factor for a while, this year saw the embrace of new services for laundering, including bridges,
"The ransomware landscape underwent significant changes in 2023, marked by shifts in tactics and affiliations among threat actors, as well as the continued spread of RaaS strains and swifter attack execution, demonstrating a more efficient and aggressive approach," said the Chainalysis report. "The movement of affiliates highlighted the fluidity within the ransomware underworld and the constant search for more lucrative extortion schemes."
