It’s looking like 2023 is shaping up to be one of the most lucrative years on record for ransomware organizations as they focus on bigger targets amid shifting cybercrime market forces, according to cyber risk management company Resilience.
As more companies resist making extortion payments, some criminal enterprises seem to be focused on “big game hunting” to maximize their revenues — a strategy that so far appears to be paying off, Resilience said in a report published Tuesday, echoing findings released by blockchain analysis firm Chainalysis in July.
“With the increased attention towards ransomware defense and pressure from law enforcement, a lower extortion success rate has probably forced criminals to target entities that provide a larger payout,” the report said, citing recent cyberattacks against MGM Resorts and Caesars Entertainment as examples.
Ransomware purveyors — who leverage malware to hold a company’s computer systems or sensitive data hostage until a payment is made — have extorted a total of at least $449.1 million through June, according to Chainalysis.
“Should this pace continue, the total yearly figure could reach nearly $900 million,” the Resilience report said. “This projection puts 2023 on pace to become the most financially damaging year for ransomware since 2021.”
Earlier this month, MGM Resorts said in a regulatory filing that a cyberattack it suffered in September will impact the company’s third quarter financial results by about $100 million, mainly related to the impact on its Las Vegas operations, as previously reported by CFO Dive sister publication Cybersecurity Dive. Security researchers have said the company likely refused to pay a demanded ransom, which is part of the reason why the disruptions continued for many weeks.
Meanwhile, a cyberattack recently disclosed by Caesars is also believed to be ransomware-related. The company paid tens of millions of dollars to hackers who broke into its systems and threatened to release its data, Bloomberg has reported.
Ransomware purveyors extorted a record $939.9 million in 2021, according to Chainalysis. After a lull in 2022, big game hunting — the targeting of large, deep-pocketed organizations — seems to have bounced back, according to the company’s research.
A recent non-payment trend “may be prompting ransomware attackers to increase the size of their ransom demands, perhaps with the intention of squeezing the most money possible out of the firms still willing to pay ransoms,” Chainalysis said.
Resilience, which provides cyber insurance and security solutions, said these findings appear to be supported by its own customer ransomware claims data. Ransomware notices comprised 16.2% of the company’s total claims in the first half of 2023, but only 15% of Resilience clients who experienced an extortion incident in this timeframe chose to pay to resolve an incident, down from 21.4% in 2022.
While there was a 37% decrease in ransomware notices between Q1 and Q2 this year, notices for 2023 have already reached 100% of 2022 levels and 84% of 2021 levels for Resilience. “This sets 2023 as one of the most prolific years for ransomware on record,” the company said.
Resilience also pointed to a survey conducted by British security software company Sophos, which found that more organizations are paying higher extortion amounts in 2023. Forty percent of victims are spending over $1 million this year compared to only 11% who paid more than this amount in 2022, according to the research.
Chainalysis partly attributes the 2022 dip in average ransom size to factors such as improved cybersecurity and data backup practices by large organizations, as well as law enforcement efforts.
“We also can’t discount the role of the Russia-Ukraine War in last year’s ransomware decline, as the conflict likely displaced ransomware operators and diverted them away from financially inspired cyber intrusions,” the company said in its July report.
Resilience advised companies looking to bolster their cyber defenses to consider steps such as bridging any silos between their finance, risk management, and information security teams and thoroughly vetting third-party software vendors before selecting them.