Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise
this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline.
“Ransomware is the one form of cryptocurrency-based crime on the rise so far in 2023,” reads the Chainalysis report.
“In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June.”
As shown in the graph by Chainalysis, the cumulative yearly ransomware revenue for 2023 has reached 90% of the 2022 total figure in the first half of the year.
If the revenue growth pace is maintained at that level, ransomware actors will make just short of $900 million from victims in 2023, just below 2021’s record figure of $940 million.
The analysts believe that the so-called “big game hunting” is the driving force behind this steep revenue rise, as cybercriminals have returned to targeting large.
This is reflected on the ransom payments distribution graph, which for H1 2023 shows an unprecedented increase on the right side, corresponding to large payments.
BlackBasta, LockBit, ALPHV/Blackcat, and Clop are leading the pack as the primary recipients of high-range payments, with Clop having an average payment size of $1.7 million and a median payment figure of $1.9 million.
Clop is responsible for two massive attack waves exploiting two zero-day vulnerabilities in file-transfer tools: Fortra’s GoAnywhere in the first quarter of the year and Progress’s MOVEit Transfer in the second.
In fact, Clop’s GoAnywhere campaign, which involved 129 attacks, made March 2023 a record-breaking month, as reported by the NCC Group at the time.
The MOVEit attack wave is already larger, counting 296 victims so far, with more disclosed on Clop’s extortion site every week.
The growth trend for H1 2023 is also observed on the other end of the spectrum, with small ransomware payments made to opportunistic “spray and pray”
ransomware-as-a-service (RaaS) operations such as Dharma, Phobos, and STOP/DJVU, who blackmail victims for a few hundred USD.
Experts in the field hypothesize that with the yearly decrease in organizations willing to pay a ransom, threat actors could strategically elevate their ransom demands, aiming to compensate for their losses through substantial payments from the few that give in to demands.