Over $1 Billion Ransom Payments in 2023 and CISA’s Pre-Ransomware Alerts

by

Ransom Payments Surpassed $1 Billion in 2023

Chainalysis’ new report showed ransomware attack victims paid $1.1 billion to attackers in 2023 to retrieve the keys to unlock their information and to stop the exposure of stolen data. For the first time in 2023, ransom payments were over $1bn and the yearly total jumped from $567 million in 2022. These figures are conservative since the researchers don’t know all of the ransomware gangs’ cryptocurrency wallets.

Ransom payments continue to increase every year but ransom payments in 2022, which is $567 million, dropped from $983 million in 2021. The researchers think this anomaly is connected to the Russia-Ukraine war. A lot of hackers altered their ransomware attack operations to attacks concentrated on espionage and devastation on Ukrainian targets. Those who still performed ransomware attacks found it more difficult to get payments because Western victims became worried about sanction problems, considering that a lot of ransomware gangs are located in Russia.

In 2023, ransomware attacks shifted back to attacks targeting high-profile organizations and critical infrastructure, such as hospitals, schools, and government departments and the ransomware attacks increased in extent and complexity. The Clop ransomware group also conducted mass extortion-only attacks on file transfer solutions like MOVEit and GoAnywhere MFT. Clop earned a minimum of $100 million from the exploitation of the MOVEit vulnerability.

Chainalysis has noticed a pattern for big game hunting that has been the prominent strategy recently yet there is significant assortment throughout the ransomware ecosystem as RaaS operations like Phobos got low revenue but did more attacks. These groups lessen the entry hurdle and make it simple for somewhat low-level hackers to begin executing attacks.

A number of trends were seen in 2023, such as an increase in the number of ransomware attackers. Recorded Future noted 538 new variants of ransomware in 2023, which implies the introduction of a lot of new, smaller ransomware gangs. Dwell time is shortened with ransomware implemented sooner after preliminary access, and ransomware gangs are creating better and more intense tactics.

Some success stories in 2023 were because of law enforcement action, such as the disruption of Alphv and the takedown of the Hive group. The FBI stated that the Hive operation enabled it to give the decryption keys to numerous victims, so ransom payments were saved in the amount of $130 million, though Chainalysis quotes the effect was much larger, with the disruption stopping an approximated $210.4 million in payments.

154 Healthcare Organizations Saved by CISA Pre-Ransomware Alerts

In 2023, over 150 healthcare companies were helped by notifications from the Cybersecurity and Infrastructure Security Agency (CISA) regarding vulnerabilities and attacks that have allowed them to carry out mitigations prior to causing harm. These notifications have aided attack victims in avoiding slow downs in patient care and saved expenses in millions of dollars.

In March 2023, CISA introduced its Pre-Ransomware Notification Initiative which issues notifications upon detection of vulnerabilities that are identified to be actively taken advantage of by ransomware groups to enable companies to do something to stop the vulnerabilities’ exploitation. After vulnerability exploitation, the dwell time is usually a few hours to days before the ransomware is deployed. When organizations are notified about an attack early, they can prohibit the attack before the stealing of data and encrypting of files. Since January 2023 when the pilot program was launched, CISA has delivered over 1,200 notifications to 154 healthcare companies regarding early-phase ransomware activity.

After CISA’s Joint Cyber Defense Collaborative (JCDC) receives hints from the cybersecurity research community, cyber threat intelligence firms, and infrastructure providers regarding prospective early-stage ransomware activity, JCDC informs the impacted organization and gives particular mitigation advice to enable them to give rapid response. There were instances where the tips were available after file encryption. In such instances, JCDC helped the companies with their remediation work. This program was able to give an early alert to a mass transport company, thereby blocking a $350 million attack.

In certain cases, JDCD was able to determine the exfiltrated information and give specific advice about the attack to aid the investigative and remediation initiatives. In 2023, a Fortune 500 company encountered a $60 million ransomware attack. CISA helped the company set up a CISO position and offered assistance to help it enhance its IT infrastructure and security system to better protect against other cyberattacks.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone