Amid a concerted effort by global law enforcement to crack down on ransomware attacks, payments to hackers and even the volume of attacks fell in 2022. But the trend doesn’t seem to be holding for 2023, and attacks have shot up again.
Data from cryptocurrency tracing firm Chainalysis indicates that victims have paid ransomware groups $449.1 million in the first six months of this year. For all of 2022, that number didn’t even reach $500 million. If this year’s pace of payments continues, according to the company’s data, the total figure for 2023 could hit $898.6 million. This would make 2023 the second biggest year for ransomware revenue after 2021, in which Chainalysis calculates that attackers extorted $939.9 million from victims.
The findings track with general observations from other researchers that the volume of attacks has spiked this year. And they come as ransomware groups have become more aggressive and reckless about publishing sensitive and potentially damaging stolen information. In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish “personal information and research” if the university didn’t pay up.
“We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”
Chainalysis and other organizations attributed the slump in 2022 to a number of factors. Expanded security protections and preparedness played a role, as did the availability of decryption tools offered by private companies and the FBI to help ransomware victims unlock their data without paying attackers. Chainalysis also believes that Russia’s invasion of Ukraine impacted the day-to-day operations of a number of prominent ransomware groups, which are primarily based in Russia.
Improvements in how potential victims defend themselves along with government deterrence initiatives haven’t fallen off in 2023. But Chainalysis researchers suspect that the evolving state of Russia’s war in Ukraine must explain this year’s increased ransomware activity, or at least be playing a role.
“I really think the tide of the Russia-Ukraine conflict has impacted these numbers,” Chainalysis’ Koven says. “Whether that’s actors have settled into safe locations, whether their year of military service has finished, or whether perhaps there’s a mandate to release the hounds.”
Chainalysis specializes in cryptocurrency surveillance and tracking, so researchers at the company are well positioned to capture the scope and scale of ransomware payments. The company says it takes a conservative approach and is rigorous about continuing to retroactively update its annual totals and other figures as new data comes to light about historic transactions. In general, though, many researchers emphasize that true totals for ransomware attacks or payments are virtually impossible to calculate given available information, and that numbers like those from Chainalysis or government tracking can be used only as broad characterizations of trends.