“I really think the tide of the Russia-Ukraine conflict has impacted these numbers,” Chainalysis’ Koven says. “Whether that’s actors have settled into safe locations, whether their year of military service has finished, or whether perhaps there’s a mandate to release the hounds.”
Chainalysis specializes in cryptocurrency surveillance and tracking, so researchers at the company are well positioned to capture the scope and scale of ransomware payments. The company says it takes a conservative approach and is rigorous about continuing to retroactively update its annual totals and other figures as new data comes to light about historic transactions. In general, though, many researchers emphasize that true totals for ransomware attacks or payments are virtually impossible to calculate given available information, and that numbers like those from Chainalysis or government tracking can be used only as broad characterizations of trends.
“We still have such poor insights on the actual number of attacks,” says Pia Huesch, a research analyst at the British defense and security think tank Royal United Services Institute. She adds that companies are still reluctant to talk about attacks, fearing reputational harm.
In May, officials at the UK’s National Cybersecurity Center and data regulator the Information Commissioner’s Office said they were increasingly concerned about companies not reporting ransomware attacks and “the ransoms paid to make them go away.” They warned that if incidents are “covered up,” the number of attacks will only increase.
“Individuals who engage in cybercrime, to them the benefits still massively outweigh the risks of perhaps being prosecuted,” Huesch says.
Regardless of their ability to independently validate ransomware revenue totals like those put forward by Chainalysis, researchers agree that ransomware represents a dire threat in 2023 and that the most prolific groups, most of whom are based in Russia, are evolving to counter defenses and meet the current moment.
“The ransomware groups who are still around are really good at what they do, and it is hard for organizations to secure against all possible points of entry,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “And what’s worse, the groups seem to be mastering new techniques.”
One such tactic that researchers and governments have their eye on is mass exploitation campaigns in which a ransomware group finds a vulnerability in a widely used product that they can exploit to launch extortion campaigns against many organizations at once. The Russia-based gang Clop, in particular, has refined this technique.
All of this bodes poorly for anyone who hoped after last year that the tide was turning against ransomware actors.