After an encouraging decline in 2022, the ransomware landscape saw a major escalation in the frequency, scope, and volume of attacks, resulting in victims paying out over US$1.1 billion in cryptocurrencies to cyber criminals last year. The findings, which are part of Chainalysis’ upcoming 2024 Crypto Crime Report, also highlighted that ‘big game hunting’ — where malicious actors aim to collect larger payments when successful — has become a winning strategy over the last few years, with 75% of ransomware revenue made up of payments of US$1 million or more.
“While it was encouraging to see a significant decline in 2022, the 94% increase last year — which marks an all-time-high for ransomware payouts — demonstrates that ransomware is a threat that is only set to worsen. Moreover, in addition to the US$1.1billion that was made in payments, there are significant losses that businesses incur due to productivity losses and remediation costs associated with attacks. As an example, even though it didn’t pay out any ransom, MGM estimated the losses due to the attack it suffered last year to be in excess of US$100million,” explained Jackie Koven, Chainalysis Head of Cyber Threat Intelligence.
“The importance of understanding the ransomware ecosystem, identifying potential attackers, and disassembling the mechanisms that empower them to carry out their attacks cannot be understated. Due to the globally distributed nature of these attacks, this will take a concerted effort between governments, law enforcement agencies, technology providers such as Chainalysis, and the support of victim organisations in transparently reporting and dealing with these attacks,” added Koven.
Alarmingly, through 2023, Chainalysis researchers saw numerous new entrants and offshoots of ransomware strains, attracted by the potential for high profits and lower barriers to entry. The ecosystem is widened by the growing popularity and ease of access to Ransomware as a Service (RaaS), in which outsiders known as affiliates can access malware to carry out attacks in exchange for a share of profits to the strain’s core operators.
Offering insight into how ransomware groups and their affiliates operate, Koven said, “The growth of initial access brokers (IABs) has made it easier for bad actors to carry out ransomware attacks. As their name would suggest, IABs penetrate the networks of potential victims, then sell that access to ransomware attackers for as little as a few hundred dollars. IABs combined with off-the-shelf RaaS, means that much less technical skill is required to carry out a successful ransomware attack. We found a correlation between inflows to IAB wallets and an upsurge in ransomware payments, suggesting monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks.”
Chainalysis was also able to track the movement of ransomware funds to uncover how cybercriminals laundered their illicit earnings. Indicating a notable change in tactics employed by cybercriminals, last year, centralised exchanges showed the lowest level of concentration of funds received from ransomware-linked wallets, while gambling services, cross-chain bridges, and sanctioned entities showed the highest levels of concentration.
“The shift away from centralised exchanges and mixers, which have traditionally been the preferred off-ramping paradigm for attackers, results from takedowns that disrupted traditional laundering methods, some services’ implementation of more robust AML/KYC policies, and an evolution of ransomware actors’ laundering preferences,” said Koven. “Following the flow of funds arms authorities with a vital piece of the puzzle that ultimately helps law enforcement agencies to crack down on this form of cybercrime.”