Stop us if you’ve heard this one before but ransomware is undergoing another one of its periodic surges.
Granted, cybercrime always seems to be on the up—does the media ever report drops in cybercrime?—but this time there’s some hard evidence to back it up.
That ransomware activity for 2023 rose was no surprise with the war in Ukraine causing a temporary drop in activity during 2022. Even so, when assessing activity on leak sites, Palo Alto’s Unit 42 researchers found significant rises in activity across the year.
Another source is Chainalysis, which rates 2023 as ransomware’s “comeback” year. The company estimates that ransoms paid exceeded $1 billion for the first time, a figure it calculates by tracking cryptocurrency payments into and out of the digital wallets used by criminals.
It’s a technique that yields other insights not available by simply polling customers (as most security vendors do) or from official government figures (which only record reported incidents in countries such as the United States). For instance, Chainalysis notes that:
“… threat actors may take weeks, months, or even years to launder their proceeds from ransomware, and so some of the laundering observed in 2023 is from attacks that occurred well into the past.”
Which goes to show that ransomware is a more time-consuming crime than it might appear from the victim’s point of view. Ransomware groups are also going to greater lengths to hide transactions, aware that the techniques used by Chainalysis and others can monitor where payments are going.
That includes obscuring moving money between different blockchains, and using gambling services and exchanges that don’t ask questions about their customers.
“We assess that this is a result of takedowns disrupting preferred laundering methods for ransomware, some [legitimate] services’ implementation of more robust AML/KYC policies, and also as an indication of new ransomware actors’ unique laundering preferences.”
The last year also saw even more affiliates piling into ransomware, spurred on by the ease of launching attacks in the age of Ransomware as a Service. Meanwhile, ransomware creators have adopted the idea of rebranding by which they start using different malware strains to confuse detection or re-victimize an old target in a new guise. This is why the number of affiliates conducting attacks appears to grow even as the core group of ransomware makers remains stable.
Ransom Payment Decline
And yet, it’s not one-way traffic. There is also evidence that ransomware is having to work harder to make victims pay the ransoms demanded.
According to Coveware’s Incident Response Team, the number of victims paying up dropped to a record low (in its figures at least) of 29% in Q4 2023. For comparison, Q4 in 2022 was 37%.
On a longer timescale, when the survey began in Q1 2019 the number of victims paying was a remarkable 85%.
The reasons for this growing reluctance? It’s possible that exhortations by governments to convince victims not to pay are finally making some headway. Alternatively—and fa more likely—defenders have simply realized that in an age of data trading, paying guarantees little and have resolved to put ransom pots into recovery instead. That won’t stop ransomware, indeed it might simply encourage attackers to resort to even more desperate methods of persuasion. The most difficult period for ransomware attacks is probably still ahead of us.
