2023: A Record-Breaking Year for Ransomware as Attacks Surge Past $1 Billion in Extorted Payments
2023 marked a dramatic resurgence in ransomware activity, with cybercriminals extorting over $1 billion in cryptocurrency payments the highest annual total on record. The year saw a sharp reversal from 2022’s temporary decline, driven by high-profile attacks on critical infrastructure, supply chain vulnerabilities, and the proliferation of Ransomware-as-a-Service (RaaS) models.
Key Trends and Major Incidents
- Supply Chain Attacks Dominate: The MOVEit file transfer software breach, exploited by the Cl0p ransomware group, became one of the most damaging incidents of 2023. The zero-day vulnerability allowed attackers to compromise hundreds of organizations, including British Airways, the BBC, and U.S. government agencies, exposing millions of records. Cl0p’s shift to data exfiltration over encryption proved highly effective, generating over $100 million in ransom payments and accounting for nearly 45% of all ransomware revenue in June and July.
- Big Game Hunting Persists: Groups like ALPHV-BlackCat and Cl0p targeted large, deep-pocketed victims, demanding multimillion-dollar ransoms. While MGM Resorts refused to pay after an ALPHV-BlackCat attack, the incident still cost the company over $100 million in damages.
- RaaS Lowers the Barrier to Entry: The Phobos and ALPHV-BlackCat strains exemplified the RaaS model, enabling less skilled attackers to launch ransomware campaigns in exchange for a cut of profits. This model fueled a 538% increase in new ransomware variants in 2023, according to Recorded Future.
- Rebranding and Affiliate Fluidity: Ransomware groups frequently rebranded or shifted between strains to evade law enforcement and sanctions. Blockchain analysis revealed connections between Trickbot, Royal ransomware, and the 3AM strain, demonstrating how a small number of actors drive much of the ecosystem’s activity.
Law Enforcement Strikes Back
Despite the surge in attacks, 2023 also saw significant law enforcement victories:
- FBI’s Hive Takedown: In a six-month infiltration, the FBI disrupted the Hive ransomware group, providing decryption keys to 1,300 victims and preventing an estimated $130 million in ransom payments. Statistical models suggest the operation may have averted over $210 million in total payments by disrupting Hive’s broader operations.
- International Collaboration: The BlackCat (ALPHV) disruption and other joint operations highlighted increased coordination between global agencies, cybersecurity firms, and blockchain analysts to track and dismantle ransomware networks.
Financial Flows and Money Laundering
Ransomware proceeds were laundered through a mix of centralized exchanges, mixers, and emerging services like cross-chain bridges, instant exchangers, and gambling platforms. While exchanges remained the most common off-ramping method, sanctioned entities and high-concentration services (e.g., specific mixers) created vulnerabilities for law enforcement to exploit.
The Broader Impact
The $1 billion figure reflects only direct ransom payments not the full economic toll, which includes productivity losses, recovery costs, and reputational damage. The MGM Resorts attack alone demonstrated how even non-payment incidents can inflict nine-figure financial harm.
2023 underscored the adaptability of ransomware actors, who continue to refine tactics, exploit zero-day vulnerabilities, and leverage RaaS to maximize profits. While law enforcement made strides in disruption, the escalating scale and sophistication of attacks signal an enduring and evolving threat.
Source: https://www.chainalysis.com/blog/ransomware-2024/
moveIT Software cybersecurity rating report: https://www.rankiteo.com/company/moveit-software
British Airways cybersecurity rating report: https://www.rankiteo.com/company/british-airways
MGM cybersecurity rating report: https://www.rankiteo.com/company/mgm
"id": "MOVBRIMGM1770602315",
"linkid": "moveit-software, british-airways, mgm",
"type": "Vulnerability",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions',
'industry': 'Aviation',
'name': 'British Airways',
'type': 'Corporation'},
{'customers_affected': 'Millions',
'industry': 'Broadcasting',
'name': 'BBC',
'type': 'Media Organization'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'U.S. government agencies',
'type': 'Government'},
{'industry': 'Hospitality',
'name': 'MGM Resorts',
'type': 'Corporation'}],
'attack_vector': ['Zero-day vulnerability',
'Supply chain attack',
'Ransomware-as-a-Service (RaaS)'],
'data_breach': {'data_encryption': 'Yes (in some cases, e.g., ALPHV-BlackCat)',
'data_exfiltration': 'Yes (Cl0p shifted to data exfiltration '
'over encryption)',
'number_of_records_exposed': 'Millions',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Sensitive corporate data']},
'date_publicly_disclosed': '2023',
'description': '2023 marked a dramatic resurgence in ransomware activity, '
'with cybercriminals extorting over $1 billion in '
'cryptocurrency payments—the highest annual total on record. '
'The year saw high-profile attacks on critical infrastructure, '
'supply chain vulnerabilities, and the proliferation of '
'Ransomware-as-a-Service (RaaS) models. Key incidents included '
'the MOVEit breach by Cl0p, attacks by ALPHV-BlackCat, and the '
"FBI's disruption of Hive ransomware.",
'impact': {'brand_reputation_impact': 'High (e.g., British Airways, BBC, U.S. '
'government agencies)',
'data_compromised': 'Millions of records',
'financial_loss': '> $1 billion (ransom payments alone)',
'operational_impact': 'Significant (e.g., MGM Resorts incurred '
'over $100 million in damages)'},
'investigation_status': 'Ongoing (some groups disrupted, others active)',
'lessons_learned': 'Ransomware actors are highly adaptable, exploiting '
'zero-day vulnerabilities, supply chain attacks, and RaaS '
'models to maximize profits. Law enforcement disruptions '
'can significantly reduce ransom payments, but the threat '
'remains persistent and evolving.',
'motivation': ['Financial gain', 'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['FBI disruption of Hive '
'(prevented $130M+ in '
'ransoms)',
'International law '
'enforcement collaboration '
'(e.g., ALPHV-BlackCat '
'takedown)'],
'root_causes': ['Zero-day vulnerabilities (e.g., '
'MOVEit)',
'Supply chain weaknesses',
'RaaS model enabling low-skilled '
'attackers',
'Lack of robust data exfiltration '
'detection']},
'ransomware': {'data_encryption': 'Yes (in some cases)',
'data_exfiltration': 'Yes (primary tactic for Cl0p)',
'ransom_demanded': 'Multimillion-dollar ransoms (e.g., Cl0p '
'generated over $100 million)',
'ransom_paid': '> $1 billion (total for 2023)',
'ransomware_strain': ['Cl0p',
'ALPHV-BlackCat',
'Hive',
'Phobos',
'Royal',
'3AM']},
'recommendations': ['Enhance supply chain security',
'Improve zero-day vulnerability patching',
'Strengthen law enforcement collaboration',
'Monitor RaaS proliferation',
'Implement robust data exfiltration detection'],
'references': [{'source': 'Recorded Future'}, {'source': 'FBI'}],
'response': {'law_enforcement_notified': 'Yes (FBI, international agencies)'},
'threat_actor': ['Cl0p',
'ALPHV-BlackCat',
'Hive',
'Phobos',
'Trickbot',
'Royal ransomware',
'3AM'],
'title': '2023: A Record-Breaking Year for Ransomware as Attacks Surge Past '
'$1 Billion in Extorted Payments',
'type': 'Ransomware',
'vulnerability_exploited': 'MOVEit file transfer software zero-day '
'vulnerability'}