Report surfaces ransomware payment decline

A report published by Chainalysis, a provider of a platform for analyzing blockchain transactions used by various cryptocurrencies, finds that while there was a surge of ransomware attacks in 2023, the number of attacks that led to payments has decreased 46% year-over-year.

The reason fewer payments were made in 2023 includes everything from less willingness to give in to blackmail and increased cyber resiliency enabled by improved data protection to the taking down of some of the major platforms relied on to launch these attacks.

For example, the U.S. Department of Justice (DOJ) last year took down a Qakbot botnet that cybercriminal syndicates such as Conti, Black Basta, and Revil had been using to launch ransomware attacks. That effort also led to the recovery of millions of dollars in cryptocurrency that had been extorted from various organizations.

At the end of 2023, the DOJ also announced the disruption of BlackCat, a cybercriminal syndicate tied to more than 30% of all ransomware payments. The DOJ was able to pass along 300 decryptor keys to victims, which led to the recovery of approximately $68 million in payments.

However, BlackCat was able to reconstitute and in March of this was tied to a $22 million ransom payment made by UnitedHealth’s Change Healthcare unit. After the alleged payment, BlackCat displayed a law enforcement seizure notice on their darknet site to suggest that their operations had been forcibly terminated. This was debunked as a ruse to enable some members to pocket the multimillion-dollar payment without giving their affiliates their due share.

Meanwhile, the National Crime Agency (NCA) in collaboration with multinational law enforcement agencies, seized control of LockBit sites on the dark web along with their hacking infrastructure. The operation also resulted in the confiscation of their source code and cryptocurrency accounts. Additionally, NCA also recovered over 1000 decryptor keys to help victims recover encrypted data.

According to the FBI, LockBit was linked to over 2,000 attacks, and received at least $120 million in ransom payments from January 2020 to May 2023, roughly 15% of all ransomware payments. With the help of Chainalysis, the NCA has identified and analyzed hundreds of active wallets and identified 2,200 Bitcoin — worth nearly $110 million — in unspent LockBit ransomware proceeds still yet to be laundered.

The perpetrators of the LockBit attack, however, also said they are planning a comeback, so no one in cybersecurity should be resting easy. Ransomware tactics and techniques will undoubtedly continue to evolve, especially as cybercriminals become more adept at using artificial intelligence (AI) to craft phishing attacks that will be more difficult to detect than ever. The only way to thwart those attacks wis to ensure a level of cyber resiliency that is continuously maintained. Of course, at the core of any cyber resiliency strategy is backup and recovery software that should enable organizations to recover pristine copies of data in a few hours at most.

Ransomware, in one form or another, will always be with us. The challenge and the opportunity now is to contain it to the point where it is not nearly a profitable pursuit as it has been this far to date.