Fraud Management & Cybercrime , Ransomware
Ransomware Again on Track to Achieve Record-Breaking Profits
Does That Mean Improved Defenses and Law Enforcement Disruptions Are Failing?Ransomware groups' collective profits are on track to achieve another record-breaking year, even though fewer victims overall appear to be paying a ransom.
See Also: Top 10 Actions During a Ransomware Attack
Blockchain analytics firm Chainalysis tracked a record-breaking $1.1 billion in ransomware profits for 2023, and "we're on pace for another record year," Jacqueline Burns Koven, the firm's head of cyber threat intelligence, said in a post to social platform X.
Don't let the gloomy forecast get you down. Concerted efforts to improve business resilience in the West, security firms bringing better tools to market for nuking crypto-locking malware, and repeated disruption of cybercriminal groups by law enforcement appear to be taking a demonstrable bite out of the ransomware business model.
A new study from Chainalysis says that as of June 30, compared to 12 months before, the number of ransomware payments fell by 27%. "Disruptions, defenses and decryptors work," Koven said.
According to cybercrime expert Yelisey Bohuslavskiy, "ransomware is in decline," thanks in no small part to better endpoint detection and response tools more often blocking it outright.
But when a victim pays, they're often paying a lot. Chainalysis found that the median extortion payment jumped from nearly $200,000 in early 2023 to $1.5 million in June (see: Yet More Evidence Highlights Ransomware Groups' Banner Year).
If ransomware is reaching record profit levels, how can the ecosystem be failing? In an interview with Information Security Media Group at this month's Black Hat conference in Las Vegas, Bohuslavskiy ascribed the discrepancy to "abnormal events," or statistical outliers. That includes the Clop - aka Cl0p - group's single supply chain campaign targeting of a vulnerability in Progress Software's MOVEit secure file transfer in May 2023, after which the group extorted hundreds of victims for a promise to not release stolen data.
Other abnormal events this year trace to some "very specific, secretive and by all means elite collectives" that have been waging expert-level big game hunting, meaning they carefully target very large victims in pursuit of extremely large ransoms, he said in a post to LinkedIn.
But most ransomware groups haven't struck gold in the form of a highly exploitable zero day, Bohuslavskiy said. "On their side, nothing has changed at all. It's still the same 2018, 2019 models," including increasingly outdated codebases. Except for the high-profile examples to the contrary, most attacks are opportunistic rather than targeted, he said.
Ransomware "is in a state of deterioration," he said. "It's just a very slow one."
This year's outlier examples include UnitedHealth Group, which earlier this year admitted it paid a $22 million ransom to BlackCat. Another outlier, first spotted by Zscaler ThreatLabz, was a $75 million ransom - the largest ever seen - paid in February to the Dark Angels ransomware group, possibly by pharmaceutical giant Cencora (see: Ever More Toxic Ransomware Brands Breed Lone Wolf Operators).
Subtract the small number of very high-earning attacks from the profit totals, and Bohuslavskiy's thesis is that the collective annual ransomware haul for this year and last, while still sky-high, wouldn't look as if it's rising, except for that small group of elite operators.
"This will be precisely what we will see through 2024 and onwards to 2025: overall deterioration of the ransomware ecosystem, but extreme events caused by specific groups compensating for this statistically," he said.
Clearly, the imperative for defenders remains to not fall victim in the first place, including to the handful of very sophisticated operators who now appear to be much more carefully picking their targets, not least in the healthcare sector.