Ransomware payments surpassed the $1bn mark in 2023, an unprecedented high driven by ‘big game hunting’ strategies. Some gangs like Cl0p (sometimes spelled CI0P) are carrying out fewer attacks but collecting larger payments when they do, according to a Chainanalysis study.

Cl0p ransomware is associated with the greater TA505 threat group and emerged in 2019. One of its most high-profile strategies was the Cl0p ransomware attack on the data transferring platform MOVEit, now part of Progress Software. Cl0p - said to be a Russian ransomware gang -  injected instructions into the MOVEit code that allowed the gang to steal data from transfers made using MOVEit and amass more than $100m in ransom payments. MOVEit affected companies including the BBC and British Airways.

“Cl0p leveraged zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims en masse, spurring the strain’s operators to embrace a strategy of data exfiltration rather than encryption,” Chainalysis found. “Overall, big game hunting has become the dominant strategy over the last few years, with a bigger and bigger share of all ransomware payment volume being made up of payments of $1m or more.”

The FBI infiltrated the Hive ransomware variant in 2022, which prevented more than $130m in ransom payments, but 2023 saw the frequency and volume of attacks escalate. More than 500 new ransomware variants were reported during the year and attacks were reported on critical infrastructure including hospitals, schools and government agencies.

‍

‍