DHS: Ransomware Operators on Pace for Second Most Profitable Year


September 19, 2023

World map

Ransomware operators are anticipated to have their second most profitable year according to the Department of Homeland Security’s 2024 Homeland Threat Assessment report (PDF).

“Ransomware attackers extorted at least $449.1 million globally during the first half of 2023 and are expected to have their second most profitable year. This is due to the return of ‘big game hunting’ – the targeting of large organizations – as well as cyber criminals’ continued attacks against smaller organizations,” DHS said.

“Ransomware actors continue to target a variety of victims, almost certainly reflecting malicious cyber actors’ target refinement to entities perceived as the most vulnerable or likely to pay a ransom.”

The cost to victims from ransomware attacks is estimated to reach $265 billion (USD) annually by 2031. The rapid growth of ransomware attacks has made this cyber threat a top concern for businesses and organizations worldwide. More than 2,300 organizations succumbed to ransomware attacks in just the first half of 2023, impacting organizations across every industry vertical.

“Ransomware groups that target US networks, infrastructure, and proprietary information are developing new methods to improve their ability to financially extort victims,” DHS explained.  

“These groups have increased their use of multilevel extortion, in which they encrypt and exfiltrate their targets’ data and typically threaten to publicly release stolen data, use DDoS attacks, or harass the victim’s customers to coerce the victim to pay.”  

Takeaway: The DHS report makes the ransomware threat sound big, and it is – in fact it’s likely much bigger than any current measures reveal because accurate data is hard to come by because private organizations and individuals are not required to report attacks.

In 2022, the FBI spent seven months observing the infamous Hive ransomware gang after infiltrating their operations. Based on their observations, the agency came to the shocking conclusion that only about 20% of attacks were being reported to law enforcement.

This means the ransomware threat is potentially even greater than we acknowledge, and security solutions available on the market - while effective against many threats - do not fully protect against ransomware attacks.  

This is because RaaS operators and data extortion attackers continue to innovate at a fast pace and are implementing novel evasion techniques into their payloads designed to completely circumvent traditional endpoint protection solutions.

With ransomware and data extortion attacks being so hugely profitable, it’s clear we won’t solve this problem on the attacker side of the equation. While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had very little impact in regard to disrupting ransomware operations.

We can only solve the ransomware and data extortion problem on the victim side, and that is no easy task. Hundreds of organizations were victimized by just one RaaS operator whose affiliate attackers were exploiting just one patchable vulnerability in the first half of 2023.

Research from earlier this year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019 for which patches were already available.  

There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. Organizations who wanted to patch but couldn’t is where the real work needs to be done.  

Patching systems can be highly complex for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production.

Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. That’s why there can be months or more of work to do before they can deploy a patch throughout the network.

But for the others, those who could patch but didn’t, there is really no excuse. If we could first address this issue of the “low hanging fruit” who offer attackers a ripe target via poor security protocols, we could certainly make a big dent in this growing threat.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).