Ransomware gangs raked in more than $1 billion in ransom payments last year as they exploited security flaws – particularly the vulnerability in the MOVEit file transfer software – and grew their focus on hospitals, schools, and other critical infrastructure.

“2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022,” researchers with Chainalysis wrote in a report this week. “Although 2022 saw a decline in ransomware payment volume, the overall trend line from 2019 to 2023 indicates that ransomware is an escalating problem.”

The report from the blockchain analysis firm echoes themes of the growing number and sophistication of ransomware attacks other cybersecurity vendors saw in 2023. Unit 42, Palo Alto Networks’ threat intelligence arm, said in a report this week that the number of victims reported on ransomware leak site in 2023 jumped 49% year-over-year and that at least two dozen new groups emerged, driven by the amount of money to be had.

“What drove this surge of activity? 2023 saw high-profile vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services,” wrote Doel Santos, principal threat researcher at Unit 42. “Zero-day exploits for these vulnerabilities drove spikes in ransomware infections by groups like CL0P, LockBit and ALPHV (BlackCat) before defenders could update the vulnerable software.”

2022 was an Anomaly

Chainalysis researchers said the decline seen in 2022 was more an anomaly than a trend, noting such factors as Russia’s unprovoked invasion of Ukraine, the Conti group’s fall, a reluctance by some victims to paying the ransom due to the threat of government sanctions, and the FBI’s takedown of the Hive group’s infrastructure – an operation that began in mid-2022 – as key factors in the slowdown of ransomware incidents that year.

They said the shutdown of Hive’s operations likely averted more than $210 million in ransomware payments in 2022.

However, ransomware incidents and payments snapped back in a severe way in 2023. Chainalysis pointed to comments by Allan Liska, threat intelligence analyst at cybersecurity firm Recorded Future, who talked about the “astronomical growth in the number of threat actors carrying out ransomware attacks.” Recorded Future saw 538 new ransomware variants in 2023, an indication of – as Unit 42 reported – the rise of new and independent groups.

Cl0p and MOVEit

The big names were still out there, with the Cl0p group exploiting a zero-day flaw in Progressive Software’s MOVEit tool to run myriad software supply-chain attacks. As of this week, security firm Emsisoft said that 2,752 organizations and more than 94.3 million people were affected by MOVEit-related attacks.

The MOVEit campaign generated more than $100 million in ransomware for Cl0p and accounted for 44.8% of all ransomware value received in June 2023, and 39% the next year.

The Chainalysis researchers also noted such trends as the continuing rise of initial access brokers (IABs) – that find ways into targets’ IT environments and then sell that access to other threat groups – and the growth in ransomware-as-a-service (RaaS) as helping to fuel the skyrocketing ransomware numbers.

“We found a correlation between inflows to IAB wallets and an upsurge in ransomware payments, suggesting monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks,” they wrote, adding that Andrew Davis, general counsel at Kivu Consulting, said that the combination of IABs and RaaS is allowing bad actors with fewer technical skills to carry out ransomware attacks.

“The increase in attack volume can be attributed to the affiliate model’s ease of access and the adoption of ransomware-as-a-service, a disturbingly effective business model for cybercriminals,” Davis told them. 

More Ransomware Groups on the Scene

That could help explain the emergence of so many new and smaller ransomware groups that both Chainalysis and Unit 42 saw in 2023. But not all stayed around, according to Unit 42’s Santos.

“Despite the appearance of new groups such as Darkrace, CryptNet and U-Bomb, many of these new ransomware threat actors did not last and disappeared during the second half of the year,” he wrote.

Santos added that new ransomware groups face challenges that aren’t seen with other malware, “such as communicating with victims and increased operational security. The public nature of ransomware operations increases their risk of detection by law enforcement agencies, security vendors and other defenders. Ransomware groups must also consider their competition. Profit sharing, software capabilities and affiliate support can significantly impact a new group’s standing in the highly competitive criminal market for ransomware.”

Still, 25 new leak sites popped up in 2023, accounting for about 25% of the total ransomware posts that year. Akira – considered among the fastest growing ransomware groups and which some analysts say has ties to the notorious Conti gang – had the most leak-site posts among the new groups, followed closely by 8Base.

However, among those new leak sites, at least five had no new posts in the second half of the year, and indication that they may have shut down and an illustration of how competitive the ransomware market is.

Goodbye to Hive, Ragnar Locker

Unit 42 also noted some established groups that fell by the wayside in 2023, including Hive and Ragnar Locker, which both were targeted by law enforcement operations. Another, Ransomed.Vc, shut itself down in November, though Santos wrote that even that likely was due to law enforcement intervention.

He also pointed to BlackCat – also known as ALPHV – whose operations were disrupted in December by the FBI, which also released a decryption tool that some victims could use to get their money back. The group is still around, but for how long is a question.

“This was a huge setback for ALPHV, and it offered incentives to keep its criminal affiliates from being spooked by the FBI,” Santos wrote. “Meanwhile, other ransomware groups like LockBit began poaching ALPHV affiliates. The ALPHV group has since responded to the FBI disruption and fought back against law enforcement action. But if this group cannot fix its reputation, it could shut down and rebrand as a new ransomware gang.”