Chainalysis Report – Ransomware Payments Reach Record High In 2023

Blockchain analysis firm Chainalysis published figures in February indicating that ransomware demands hit a record high of $1bh in 2023, after declining in the previous year. This is, they say, likely to be a conservative estimate, and they continue to retroactively revise their figures, for example up from an estimated $20.6 billion worth of illicit transaction volume to $39.6 billion as they unearth more illicit addresses (they are also factoring in creditor claims against FTX).

They report that the focus is shifting in illicit transactions such as scamming from Bitcoin to stablecoin, although ransomware demands and darknet market sales still take place mainly in Bitcoin. Chainalysis reports that 2023 saw a ‘major escalation’ of attacks by groups such as Clop, focusing their efforts on ‘big game hunting,’ attaining larger ransoms, generally $1 million plus, and using a wider range of laundering techniques, such as gambling services and instant exchangers.

Chainalysis does point out that disruption on the part of law enforcement agencies is having an effect, however. Infiltration of ransomware group the Hive (which coined over $100 million in ransom payments over the course of its operations) by the FBI in 2022 has resulted in the return of around 1,300 encryption keys to victims as well as control of the group’s servers and websites. In this example, the FBI worked with the German Federal Criminal Police and the Netherlands National High Tech Crime Unit. US Deputy Attorney General Lisa O. Monaco told the press in 2023 that:

“In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

Chainalysis points out that the amount of money estimated to be saved by the FBI does not take into consideration the knock-on effects of the interruption of the Hive’s activities, such as disruption of attacks launched by its affiliates, and is thus likely to be even greater. Another 500 victims of BlackCat (aka ALPHV or Noberus) were offered a decryption tool by the FBI in late 2023 and enabled to restore their systems.

Hackers have had increased opportunities in the last couple of years – such as zero-day vulnerability in file transfer software products like MOVEit, or Fortra’s GoAnywhere, targeted by Clop. Victims of the latter included Saks Fifth Avenue, who told the press that it affected ‘mock customer data’ only, and Hitachi Energy, who said that no customers had been affected. But the ramifications continue: in the UK, South Staffordshire Plc, the parent company of South Staffordshire and Cambridge Water, have now been targeted in a joint legal action by over 1000 customers whose data (including bank account numbers and sort codes) was leaked onto the darkweb in an attack by Clop in 2022.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Chainalysis reports that ransomware attacks are conducted by a range of actors, from small groups to large organisations. Cybersecurity firm Recorded Future’s Threat Intelligence Analyst Alan Liska identified 538 new ransomware variants in 2023, while cyber security specialists  i-confidential warn against RaaS models becoming a ‘force multiplier’ in targeting smaller organisations for smaller ransoms. They also point out the damaging knock-on effects of ransomware – not just the money paid out, but the losses incurred in a reduction of productivity, data and assets, as well as recovery costs and, as we have seen above, lawsuits. Cyber hygiene, says i-confidential’s head of technical delivery Brian Boyd, is crucial to defend against this rising threat.

Leave a Comment