Record $1B Ransomware Payments Flagged: Chainalysis Reports

Criminals have managed to steal an unprecedented $1 billion in cryptocurrency ransomware payments in 2023 through a series of highly sophisticated attacks on high-profile institutions and infrastructure. Chainalysis, a leading blockchain analysis firm, recently released an excerpt from its 2024 Crypto Crime Report that focused on ransomware. These attacks included significant supply chain breaches using widely used file transfer software MOVEit, which affected well-known organizations like the BBC and British Airwaves. One reason for the increase in ransomware attacks in 2023 was the higher frequency, wider scope, and increased volume of these attacks.

Recorded Future, a cybersecurity firm, provided data and insights to Chainalysis, revealing that there were 538 new ransomware variations in 2023. The report also includes visualizations that illustrate the different strains of ransomware based on payment size and frequency, highlighting the various strategies employed by criminals. For instance, the report noted that the CL0P group adopted a “big game hunting” approach, conducting fewer but more substantial attacks. This group targeted large organizations and took advantage of zero-day vulnerabilities to demand significant ransom payments. Ransomware groups like Phobos used a Ransomware as a Service (RaaS) model, allowing criminal affiliates to access malware for conducting attacks while the core operators received a portion of the ransom proceeds. This model primarily targeted smaller entities with lower ransom amounts, with the aim of extracting funds through a large number of attacks.

To evade detection and increase their success rate, ransomware attackers often rebrand and create new strains that differ from previously identified ones associated with sanctions and investigations. Chainalysis utilizes blockchain analysis to establish connections between the wallets of different ransomware strains. Another significant factor contributing to the prevalence of high-impact ransomware incidents in 2023 was the exploitation of zero-day vulnerabilities. These vulnerabilities are security gaps in a company’s systems, products, or applications that hackers exploit before developers can patch them. For instance, CL0P’s attack on the file transfer software MOVEit in 2023 exemplified the utilization of a zero-day vulnerability. MOVEit is widely used by various IT and cloud applications and exposed data from numerous organizations and millions of users, making CL0P the most prominent ransomware strain that year. This strain collected over $100 million in ransom payments, accounting for 44.8% of the total ransomware value in June and July of 2023.

Criminals increasingly turned to various methods for laundering the funds obtained through ransomware attacks in 2023. They utilized cross-chain bridges, instant exchangers, mixers, and underground exchanges to hide the source of the stolen funds. While centralized exchanges and mixers historically received the majority of these funds for laundering, the report indicates that the movement of stolen funds is evolving.

The year 2023 witnessed a surge in ransomware attacks, resulting in criminals accumulating a staggering $1 billion in cryptocurrency ransom payments. These attacks targeted high-profile institutions and infrastructure, and they were characterized by sophisticated techniques and extensive scope. The report from Chainalysis serves as a comprehensive analysis of the ransomware landscape in 2023, shedding light on the diverse strategies employed by various ransomware groups and the evolving methods used to launder the stolen funds.