Criminals made off with a record $1 billion in cryptocurrency ransomware payments in 2023 as high-profile institutions and infrastructure were targeted by sophisticated attacks.
According to the latest excerpt from Chainalysis’ 2024 “Crypto Crime Report” focusing on ransomware, significant supply chain attacks occurred using ubiquitous file transfer software MOVEit, which affected household names like the BBC and British Airwaves.
A contributing factor to the resurgence of ransomware in 2023 was an escalation in the “frequency, scope, and volume of attacks.” Various actors carried out attacks, from individuals and small criminal groups to large syndicates.
Chainalysis cites data and insights from cybersecurity firm Recorded Future, which reported 538 new ransomware variants in 2023. The report also provides visualizations of the different ransomware strains by payment size and frequency, illustrating the variety of criminal strategies.
Related: How the IRS seized $10B worth of crypto using blockchain analytics
The report notes that ransomware groups such as CL0P exhibited a “big game hunting” strategy that carried out fewer attacks when compared to other ransomware strains but collected larger payments with each attack:
“Cl0p leveraged zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims en masse, spurring the strain’s operators to embrace a strategy of data exfiltration rather than encryption.”
Meanwhile, ransomware groups like Phobos essentially operate a ransomware-as-a-service (RaaS) model, which allows criminal affiliates to access the malware to carry out attacks. The core operators then earn a cut of the ransom proceeds.
Chainalysis describes this model as typically targeting smaller entities with lower ransoms, banking on a large quantity of smaller attacks serving as a force multiplier to extract funds.
Ransomware attackers also frequently rebrand and create overlapping strains to distance themselves from previously identified strains linked to sanctions and investigations. Chainalysis uses blockchain analysis to show on-chain links between wallets of different ransomware strains.
Zero-day vulnerabilities were also a significant contributor to high-impact ransomware incidents in 2023. These attacks typically target security gaps in a company’s service, system, product or application before developers can create and distribute a fix.
Related: Bitcoin no longer asset of choice for criminals — Former Elliptic crypto advisor
CL0P’s exploit of the file transfer software MOVEit in 2023 was a prime example, given that its product is used by various IT and cloud applications and exposed the data of hundreds of organizations and millions of users.
The campaign allowed CL0P to become the most prominent ransomware strain across the ecosystem. In June and July 2023, the strain amassed over $100 million in ransom payments, accounting for 44.8% of the ransomware value.
2023 saw cross-chain bridges, instant exchangers, mixers and underground exchanges being used to launder a larger share of funds fleeced through ransomware attacks.
Chainalysis also touches on the evolving nature of the movement of stolen funds from ransomware attacks. Centralized exchanges and mixers have historically received the majority of ransomware funds to be laundered.
Magazine: Blockchain detectives: Mt. Gox collapse saw birth of Chainalysis