‘Big game ransomware’ tactics return as attackers eye lucrative payouts

Ransomware: A 2D mockup image of a business paying a cyber criminal for a ransom
(Image credit: Shutterstock)

Ransomware operators have increased attacks on large companies in a push for greater profit, bucking the more recent trend of focusing on smaller businesses.

Payouts under $1,000 have remained high in the financial year to date, many of which result from attacks on small businesses that lack the backups to restore encrypted data or have poorer defenses.

But in H1 2023 the percentage of ransomware payments exceeding $100,000 has risen, prompting researchers to question if attackers have adapted to corporate negotiation strategies.

Chainalysis published the findings in its latest Crypto Crime report, in which ransomware was highlighted as an outlier in an otherwise worsening landscape for cyber criminals.

By June, ransomware operators had extorted $175.8 million more in 2023 than in the first six months of 2022, following the rise in the number of large ransom payments.

“These notable shifts in figures directly align with the growing number of extremely high initial demands, ranging in the tens and hundreds of millions of USD,” said Andrew J. Davis, general counsel and risk officer at cyber security firm Kivu.

The authors directly correlated the decline in average payout size in 2022 to an improvement in corporate defense strategies and more aggressive law enforcement


A whitepaper from ServiceNow covering why organizations should prioritize solutions to workflows that lack the digital resilience to withstand disruption

(Image credit: ServiceNow)

Automating digital resiliency in banking

Read this IDC report and learn how to become operationally resilient through DX.


A growing number of large corporate victims have been able to refuse to pay ransoms due to their cyber standing, such as Royal Mail’s rejection of LockBit’s demands in February 2023.

Davis suggested that the ‘don’t pay’ strategy could have driven ransomware operators to increase their initial demands, in a gamble to make up for losses through the smaller amount of companies willing to give in.

Strains like ALPHV, which was notably used in the recent attack on Western Digital, have been associated with millions of dollars in average payouts.

The Cl0p operation was also named as one of the leading groups benefiting from from cyber crime this year after adopting a pure extortion approach rather than using a traditional ransomware payload.

Its supply chain attacks on GoAnywhere MFT and MOVEit File Transfer have been among the most impactful in 2023.

Less sophisticated strains like Dharma and Phobos are linked with ‘spray and pray’ attacks on small targets, which require minimal effort from threat actors but also result in payouts averaging only a few hundred dollars.

Projections showed that ransomware operators could make as much as $898.6 million in 2023, an annual total second only to the $939.9 million attackers extorted in 2021.

Researchers noted that Russia’s invasion of Ukraine had diverted the resources of ransomware groups to state-sponsored activities rather than profitable pursuits. 

Some groups may now have rowed back these commitments, leading to a resurgence in profit-motivated attacks.

Global ransomware activity was up 47% year on year in Q1 2023, though cyber insurance premiums have remained stable or fallen.

40% of companies surveyed by the Howden Group reported ransom payments of $1 million, up from 11% in 2022, as criminals have pivoted to a stronger financial focus rather than on breaking down defenses.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.