Victims of ransomware paid their attackers more than $1 billion last year, a new report has found, a record high that shows that many cybercriminals are raking in money by extorting people and institutions with near impunity.
The figure comes from a study of 2023 ransomware payments conducted by Chainalysis, a company that tracks cryptocurrency payments around the world.
Ransomware attacks happen when criminal hackers break into the computer networks of organizations like businesses, hospitals or school systems. They encrypt their victims’ computers, steal sensitive files or both and demand payments in cryptocurrency for keys that could unlock those computers or promises not to leak the files. People involved in ransomware can be anywhere. Many major groups are Russian-speaking, and Russia does not extradite its citizens.
Despite efforts to contain the ransomware criminal ecosystem, the promise of wealth and the relative lack of consequences have spurred more ransomware hackers than ever before, said Jackie Koven, the head of cyber threat intelligence at Chainalysis.
“Newcomers are lured by the promise of lucrative returns, the low barriers of entry,” she said.
Some hackers have become more sophisticated, finding more creative and advanced ways to break into victims’ computers. But many successful ransomware attacks come from the sheer number of people trying to break into companies that might pay, leading to a drumbeat of large payments.
“We’re seeing that 75% of ransomware payments are for a million dollars or higher,” Koven said.
The numbers are high despite a surge in efforts to counter ransomware, including occasional takedowns against ransomware groups launched by the Australian and U.S. governments. The Treasury Department has sanctioned some ransomware groups and cryptocurrency companies accused of laundering their funds, making it difficult for victims in some circumstances to legally pay off their hackers.
But paying a ransom is generally not illegal, and it can be less costly than refusing hackers’ demands.
In September, MGM Resorts in Las Vegas refused to pay after a ransomware attack. According to a Securities and Exchange Commission filing, the fallout from lost business and replacing damaged computer systems cost the company around $100 million.
“There is a whole government and industry mobilization to stop ransomware, and the problem has only gotten worse,” said Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future.
“Don’t get me wrong; we’ve made real progress. Takedowns are rapidly increasing, as are law enforcement actions,” he said. “But we are still losing the fight.”