Ransomware operators have increased attacks on large companies in a push for greater profit, bucking the more recent trend of focusing on smaller businesses.
Payouts under $1,000 have remained high in the financial year to date, many of which result from attacks on small businesses that lack the backups to restore encrypted data or have poorer defenses.
But in H1 2023 the percentage of ransomware payments exceeding $100,000 has risen, prompting researchers to question if attackers have adapted to corporate negotiation strategies.
Chainalysis published the findings in its latest Crypto Crime report, in which ransomware was highlighted as an outlier in an otherwise worsening landscape for cyber criminals.
By June, ransomware operators had extorted $175.8 million more in 2023 than in the first six months of 2022, following the rise in the number of large ransom payments.
“These notable shifts in figures directly align with the growing number of extremely high initial demands, ranging in the tens and hundreds of millions of USD,” said Andrew J. Davis, general counsel and risk officer at cyber security firm Kivu.
The authors directly correlated the decline in average payout size in 2022 to an improvement in corporate defense strategies and more aggressive law enforcement.
Automating digital resiliency in banking
Read this IDC report and learn how to become operationally resilient through DX.
A growing number of large corporate victims have been able to refuse to pay ransoms due to their cyber standing, such as Royal Mail’s rejection of LockBit’s demands in February 2023.
Davis suggested that the ‘don’t pay’ strategy could have driven ransomware operators to increase their initial demands, in a gamble to make up for losses through the smaller amount of companies willing to give in.
Strains like ALPHV, which was notably used in the recent attack on Western Digital, have been associated with millions of dollars in average payouts.
The Cl0p operation was also named as one of the leading groups benefiting from from cyber crime this year after adopting a pure extortion approach rather than using a traditional ransomware payload.
Its supply chain attacks on GoAnywhere MFT and MOVEit File Transfer have been among the most impactful in 2023.
Less sophisticated strains like Dharma and Phobos are linked with ‘spray and pray’ attacks on small targets, which require minimal effort from threat actors but also result in payouts averaging only a few hundred dollars.
Projections showed that ransomware operators could make as much as $898.6 million in 2023, an annual total second only to the $939.9 million attackers extorted in 2021.
Researchers noted that Russia’s invasion of Ukraine had diverted the resources of ransomware groups to state-sponsored activities rather than profitable pursuits.
Some groups may now have rowed back these commitments, leading to a resurgence in profit-motivated attacks.
Global ransomware activity was up 47% year on year in Q1 2023, though cyber insurance premiums have remained stable or fallen.
40% of companies surveyed by the Howden Group reported ransom payments of $1 million, up from 11% in 2022, as criminals have pivoted to a stronger financial focus rather than on breaking down defenses.
