According to Chainalysis’ 2023 cybercrime report, ransomware payments have surged beyond $1 billion, hitting a new all-time high. This number represents a resurgence in ransomware activity after a dip noted in 2022.
The attacks targeted high-profile institutions and critical infrastructure, including hospitals, schools, and government agencies. Major ransomware supply chain attacks exploited the widely used file transfer software MOVEit, impacting companies ranging from the BBC to British Airways.
Ransomware is a type of malware that encrypts a user’s or organization’s files, rendering them inaccessible until a ransom is paid for the decryption key. This form of cyberattack has become increasingly prevalent, impacting various sectors such as healthcare, public services, and organizations globally.
Ransomware typically gains access to systems through vectors like phishing emails or exploiting vulnerabilities in services such as Remote Desktop Protocol (RDP). Once infected, the malware encrypts files and demands a ransom from the victim, often in cryptocurrencies for anonymity.
Impact on organizations – MGM
Chainalysis added that while there was a decline in ransomware payment volume in 2022, the economic impact of productivity loss and repair costs associated with attacks became evident in cases like the bold targeting of MGM resorts by ALPHV-BlackCat and Scattered Spider. Although MGM did not pay the ransom, estimated damages cost the business over $100 million.
The attack, attributed to the ALPHV/BlackCat ransom gang, involved a combination of impersonation and malware tactics, leading to widespread chaos within MGM Resorts’ network of hotels and casinos, including prestigious properties like Mandalay Bay, the Bellagio, the Cosmopolitan, and the Aria.
Scattered Spider infiltrated MGM’s systems by impersonating IT help desk personnel after conducting searches for employees on LinkedIn.
The cybercriminals gained access to MGM Resorts’ Okta and Azure environments, obtaining administrator privileges and extensive access to the company’s systems.
The attack resulted in disruptions such as slowed electronic winnings transfers, non-functional access cards for thousands of hotel rooms, and system outages persisting for an extended period.
In response to the breach, MGM Resorts had to shut down significant portions of its internal networks to contain the attack, causing operational disruptions and financial losses estimated at around $100 million.
The company allocated approximately $10 million for one-time expenditures related to the cyberattack, including technology consulting services and legal charges.
Despite the challenges faced, MGM Resorts announced that its hotels and casinos were operating normally again after about 10 days of recovery efforts.
Decline in Ransomware in 2022
The decline in ransomware activities in 2022 was a result of several factors including geopolitical events like the Russian-Ukrainian conflict according to Chainalysis.
However, the successful infiltration of the Hive ransomware strain by the Federal Bureau of Investigation (FBI) played a significant role.
The FBI provided decryption keys to over 1,300 victims, preventing approximately $130 million in ransom payments to Hive. The impact of this intervention likely extends beyond the reduced payments, affecting the broader activities of Hive affiliates.
Increase in Ransomware-as-a-Service (RaaS)
The cybersecurity firm noted that the spread of Ransomware-as-a-Service (RaaS) and the availability of hacking tools made it easier to launch attacks.
Ransomware-as-a-service (RaaS) is a clever adaptation of the Software-as-a-service (SaaS) business model, where ransomware developers sell or rent their ransomware tools to other hackers, known as ransomware affiliates, enabling them to conduct ransomware attacks.
This model has significantly contributed to the proliferation of ransomware attacks by lowering the technical barriers for cybercriminals and making it easier for individuals with limited expertise to execute sophisticated cyberattacks.
Chainalysis said that the growth of initial access brokers (IABs) allowed bad actors to carry out ransomware attacks with less technical skill. Monitoring IABs became crucial for early warning signs and potential intervention.
In addition, the report pointed out that in 2023, new ways to hide money became more common, like bridges, instant exchangers, and gambling sites. There was a focus on certain services in each category.
The world of ransomware changed a lot in 2023. Threat actors changed how they work and who they work with.
Progress in fighting ransomware has been greatly improved by working together successfully with worldwide law enforcement agencies, impacted organizations, cybersecurity companies, and blockchain intelligence units.
These partnerships have been crucial in strengthening cyber resilience, reducing threats, and protecting important digital systems from harmful attacks.