April 11, 2024 By Jonathan Reed 3 min read

Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.

In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.

Still, it’s not all roses for ransomware gangs. Many top-tier groups are struggling to adapt to talent scarcity, Russia-Ukraine war fatigue and repeated disruptions by law enforcement. Let’s take a look at the state of ransomware security today.

New record for ransomware payouts

In 2023, ransomware actors staged a major comeback. This included record-breaking payments and a substantial increase in the scope and complexity of attacks, according to a recent Chainalysis report.

In 2022, a major drop in attacks led to a $416 million decline in ransoms paid (a total of $567 million) compared to 2021. But in 2023, ransomware attacks surged to establish a new record in ransoms paid at $1.1 billion.

As per Chainalysis, reasons for the 2022 decline include the Ukraine War, as some cyber actors diverted their actions toward political motives rather than financial ones. Another factor includes an increasing trend of victims’ reluctance to pay ransoms. Finally, the takedown of ransomware groups, such as the massive Hive variant, also put a damper on malicious activity in 2022.

Meanwhile, factors that contribute to the growing total ransomware payments seen in 2023 include:

  • Huge growth in the number of threat actors carrying out attacks, with at least 538 new ransomware variants detected in 2023
  • Big game hunting leads to a larger share of ransomware payments made up of $1 million or more
  • Ransomware-as-a-Service (RaaS) makes easy-to-use, malicious tools widely available.
Read the Threat Intelligence Index report

Struggling ransomware groups

Although the dollar totals are rising, some ransomware groups have actually been struggling lately. According to Marley Smith, Principal Threat Researcher at RedSense, many RaaS groups must recruit highly skilled (and scarce) contractors to access the penetration testing talent required to carry out attacks against large targets. “Things are just getting increasingly complex and almost desperate in terms of the ability to continue operations,” Smith said.

Meanwhile, Yelisey Bohuslavskiy, Co-Founder and Chief Research Officer at RedSense, says that many ransomware practitioners live “really traumatized” lives due to the Russia-Ukraine war. “The top-tier ransomware groups consist of Russians, Belarusians and Ukrainians, and half of them are now in this very strange situation when they still know each other and chat constantly. But their countries are at war, and they need to figure out how to work together while being at war.”

Don’t pay ransomware

Winning the war against ransomware requires the right technology as well as a collaborative effort between law enforcement, product makers and organizations. If companies don’t do their part, such as being alert for social engineering attacks and phishing attempts, it’s impossible to stop ransomware. But things are changing. Enterprises are no longer getting completely devastated by data encryption attacks. And it’s not uncommon for victims to recover their ransomware payments.

In 2021, the U.S. Treasury established reporting requirements that victims of ransomware should follow. As per Coveware, after these guidelines were released, completing due diligence before any payment has become a normal best practice within the incident response industry. Reporting was also not a regular best practice until after the release of the guidelines. The U.S. Treasury guidelines sparked an increase in reporting to law enforcement. They also created a diligence framework and standard for how victims could avoid paying a sanctioned actor.

Many entities, including IBM, strongly advise against paying ransomware. Instead, follow best practices, check out IBM’s Definitive Guide to Ransomware and keep your shields up.

More from Risk Management

Why do software vendors have such deep access into customer systems?

4 min read - To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software…

How CTEM is providing better cybersecurity resilience for organizations

4 min read - Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.The importance of developing cybersecurity resilienceRegardless of the industry, all organizations are subject to certain…

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today