Chainalysis discovered ransomware gangs targeting hospitals, schools, and organizations like BA and the BBC
Research indicates that ransomware gangs made a “major comeback” last year, with victims of hacking attacks paying a record $1.1 billion to assailants. After a lull in 2022, cybercriminals intensified their global operations in 2023, targeting hospitals, schools, and major corporations. According to a report by cryptocurrency research firm Chainalysis, payments to criminal gangs in the aftermath of attacks doubled compared to 2022, when $567 million was paid out.
The report noted that “big game hunting” became prevalent in attacks last year, with a larger portion of ransom payments exceeding $1 million as wealthier entities were targeted.
According to Chainalysis, “2023 marks a significant resurgence for ransomware, characterized by record-breaking payments and a substantial rise in the scale and sophistication of attacks—a notable reversal from the decline seen in 2022.”
Ransomware attacks typically entail hackers infiltrating a target’s computer system and disabling it with malware, which encrypts files and renders them inaccessible. A recent trend in these attacks involves attackers extracting data from the IT system, such as employee or customer information. The gang then demands payment in cryptocurrency, typically bitcoin, to decrypt the files or delete their copy of the stolen data.
Chainalysis attributed the decline in payments in 2022 to several factors, including Russia’s invasion of Ukraine.
The majority of ransomware groups are associated with Eastern Europe, particularly former Soviet republics and Russia. Chainalysis reported that some rogue actors were either disrupted or redirected their focus from ransomware to politically motivated cyber-espionage. Following the release of 60,000 internal messages by an anonymous leaker sympathetic to Ukraine, one major hacker group, Conti, disbanded amid internal turmoil.
The FBI also disrupted the Hive ransomware group by seizing its decryption keys, preventing victims from paying $130 million in ransom.
Chainalysis also referenced research indicating a rise in the number of attackers and ransomware variants in attacks last year.
“Allan Liska, an analyst at cybersecurity firm Recorded Future, noted a significant trend: the exponential growth in the number of threat actors involved in ransomware attacks,” said Allan Liska, an analyst at cybersecurity firm Recorded Future.
Recorded Future reported 538 new ransomware variants in 2023, suggesting the emergence of new, independent groups. The Clop group emerged as a significant player last year, claiming responsibility for the hack of Zellis, a payroll provider that targeted a vulnerability in MOVEit software used for file transfer within internal networks. Affected customers included British Airways, Boots, and the BBC.
The British Library is still recovering from a ransomware attack by a rebranded group, Rhysida, which targeted the institution in October. The library has refused to pay a ransom.
The proliferation of “ransomware as a service,” where malware is leased to criminals in exchange for a share of the profits, has fueled activity, along with “initial access brokers” who sell vulnerabilities in the networks of potential targets to ransomware attackers.
Ellie Ludlam, a partner specializing in cybersecurity at UK law firm Pinsent Masons, anticipates that the surge in attacks will persist.
“This surge is expected to continue in 2024, with a continued focus on mass data exfiltration by threat actor groups, which has the potential to result in higher ransom payments by affected companies,” she said.