Criminals made off with a record $1 billion in cryptocurrency ransomware payments in 2023 as high-profile institutions and infrastructure were targeted by sophisticated attacks.

According to the latest excerpt from Chainalysis’ 2024 Crypto Crime Report focused on ransomware, significant supply chain attacks occurred using ubiquitous file transfer software MOVEit that affected household names like the BBC and British Airwaves.

A contributing factor to the resurgence of ransomware in 2023 was an escalation in “frequency, scope, and volume of attacks.” Various actors carried out attacks, from individuals and small criminal groups to large syndicates.

Annual ransom payments reached new all-time highs in 2023, surpassing $1 billion. Source: Chainalysis

Chainalysis cites data and insights from cybersecurity firm Recorded Future, which reported 538 new ransomware variants in 2023. The report also provides visualizations of the different ransomware strains by payment size and frequency, illustrating the variety of criminal strategies.

Related: How the IRS seized $10B worth of crypto using blockchain analytics

The report notes that ransomware groups like CL0P exhibited a “big game hunting” strategy that carried out fewer attacks when compared to other ransomware strains but collected larger payments with each attack: 

“Cl0p leveraged zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims en masse, spurring the strain’s operators to embrace a strategy of data exfiltration rather than encryption.”

Meanwhile ransomware groups like Phobos essentially operate a Ransomware as a Service (RaaS) model, which allows criminal affiliates to access the malware to carry out attacks. The core operators then earn a cut of the ransom proceeds.

A visualization of ransomware strains by average payment size and frequencies. Source: Chainalysis

Chainalysis describes this model as typically targeting smaller entities with lower ransoms, banking on a large quantity of smaller attacks serving as a force multiplier to extract funds.

Ransomware attackers also frequently rebrand and create overlapping strains to distance themselves from previously identified strains linked to sanctions and investigations. Chainalysis uses blockchain analysis to show on-chain links between wallets of different ransomware strains.

Zero-day vulnerabilities were also a significant contributor to high-impact ransomware incidents in 2023. These attacks typically target security gaps in a company’s service, system, product, or application before developers can create and distribute a fix.

Related: Bitcoin no longer asset of choice for criminals — former Elliptic crypto advisor

CL0P’s exploit of the file transfer software MOVEit in 2023 was a prime example, given that its product is used by various IT and cloud applications and exposed data of hundreds of organizations and millions of users.

The campaign allowed CL0P to become the most prominent ransomware strain across the ecosystem. In June and July 2023, the strain amassed over $100 million in ransom payments, accounting for 44.8% of ransomware value.

2023 saw cross-chain bridges, instant exchangers, mixers and underground exchanges being used to launder a larger share of funds fleeced through ransomware attacks.

The different avenues that criminals use to launder cryptocurrency ransomware payments. Source: Chainalysis

Chainalysis also touches on the evolving nature of the movement of stolen funds from ransomware attacks. Centralized exchanges and mixers have historically received the majority of ransomware funds to be laundered.

Magazine: Blockchain detectives: Mt. Gox collapse saw birth of Chainalysis