April 11, 2024 By Jonathan Reed 3 min read

Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.

In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.

Still, it’s not all roses for ransomware gangs. Many top-tier groups are struggling to adapt to talent scarcity, Russia-Ukraine war fatigue and repeated disruptions by law enforcement. Let’s take a look at the state of ransomware security today.

New record for ransomware payouts

In 2023, ransomware actors staged a major comeback. This included record-breaking payments and a substantial increase in the scope and complexity of attacks, according to a recent Chainalysis report.

In 2022, a major drop in attacks led to a $416 million decline in ransoms paid (a total of $567 million) compared to 2021. But in 2023, ransomware attacks surged to establish a new record in ransoms paid at $1.1 billion.

As per Chainalysis, reasons for the 2022 decline include the Ukraine War, as some cyber actors diverted their actions toward political motives rather than financial ones. Another factor includes an increasing trend of victims’ reluctance to pay ransoms. Finally, the takedown of ransomware groups, such as the massive Hive variant, also put a damper on malicious activity in 2022.

Meanwhile, factors that contribute to the growing total ransomware payments seen in 2023 include:

  • Huge growth in the number of threat actors carrying out attacks, with at least 538 new ransomware variants detected in 2023
  • Big game hunting leads to a larger share of ransomware payments made up of $1 million or more
  • Ransomware-as-a-Service (RaaS) makes easy-to-use, malicious tools widely available.
Read the Threat Intelligence Index report

Struggling ransomware groups

Although the dollar totals are rising, some ransomware groups have actually been struggling lately. According to Marley Smith, Principal Threat Researcher at RedSense, many RaaS groups must recruit highly skilled (and scarce) contractors to access the penetration testing talent required to carry out attacks against large targets. “Things are just getting increasingly complex and almost desperate in terms of the ability to continue operations,” Smith said.

Meanwhile, Yelisey Bohuslavskiy, Co-Founder and Chief Research Officer at RedSense, says that many ransomware practitioners live “really traumatized” lives due to the Russia-Ukraine war. “The top-tier ransomware groups consist of Russians, Belarusians and Ukrainians, and half of them are now in this very strange situation when they still know each other and chat constantly. But their countries are at war, and they need to figure out how to work together while being at war.”

Don’t pay ransomware

Winning the war against ransomware requires the right technology as well as a collaborative effort between law enforcement, product makers and organizations. If companies don’t do their part, such as being alert for social engineering attacks and phishing attempts, it’s impossible to stop ransomware. But things are changing. Enterprises are no longer getting completely devastated by data encryption attacks. And it’s not uncommon for victims to recover their ransomware payments.

In 2021, the U.S. Treasury established reporting requirements that victims of ransomware should follow. As per Coveware, after these guidelines were released, completing due diligence before any payment has become a normal best practice within the incident response industry. Reporting was also not a regular best practice until after the release of the guidelines. The U.S. Treasury guidelines sparked an increase in reporting to law enforcement. They also created a diligence framework and standard for how victims could avoid paying a sanctioned actor.

Many entities, including IBM, strongly advise against paying ransomware. Instead, follow best practices, check out IBM’s Definitive Guide to Ransomware and keep your shields up.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today