According to a report by blockchain analytics firm Chainalysis, ransomware attacks have experienced a significant resurgence in 2023, with cybercriminals extorting an estimated $449.1 million in the first half of the year. If this trend continues, the total amount extorted could reach $898.6 million by the end of 2023, making it the second-highest year on record, following 2021's $939.9 million.
In contrast, revenue from cryptocurrency scams has decreased by 77% compared to the same period last year. The decline can be attributed in part to the sudden exit of VidiLook, a platform that rewarded users with VDL tokens for watching digital ads, which could then be exchanged for substantial rewards. Additionally, inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops have also decreased.
This shift in the landscape marks a reversal from the decline in ransomware revenues observed in 2022. Chainalysis attributes the resurgence to the return of big game hunting and the success of smaller-scale attacks carried out by groups like Dharma and Phobos.
On one end of the spectrum, advanced groups such as Cl0p (or Clop), BlackCat, and Black Basta adopt a more selective targeting approach and demand higher ransoms from larger organizations. Cl0p, for instance, has targeted 296 organizations globally by exploiting security flaws in the MOVEit Transfer application. Emsisoft researcher Brett Callow estimates that over 18.1 million individuals have been impacted by Cl0p's ransomware attacks. Their average payment size for the first half of 2023 stands at $1,730,486, significantly higher than Dharma's average of $265.
While law enforcement efforts and the availability of decryptors have encouraged some victims not to pay ransoms, it is suspected that ransomware operators are increasing the size of their demands in response, aiming to extract funds from companies still willing to comply.
Another factor impacting ransomware operations is the Russia-Ukraine War, which is believed to have contributed to the decline in attacks in 2022. The Conti operation, for example, ceased its activities after declaring support for Russia. Chainalysis suggests that the conflict may have disrupted ransomware operators' ability to carry out attacks or altered their motivations for such activities, given the ties of many ransomware actors to Russia.
It is crucial for organizations to remain vigilant and employ robust security measures to mitigate the risks associated with ransomware attacks in this evolving threat landscape.