Image by Richard Patterson via License: Creative Commons

2023 was a banner year for ransomware. Revenue from ransoms paid in Bitcoin exceeded one billion dollars for the first time – while the actual damage is likely to be orders of magnitude higher.

The danger posed by ransomware has never been greater, and the damage it causes in Western societies has never been greater. A few examples from the recent past illustrate this:

Change Healthcare

The hack of Change Healthcare, a subsidiary of the major American insurer UnitedHealth, was one of the most serious ransomware incidents in recent years. It led to widespread disruption in the US healthcare system.

After Change Healthcare paid a ransom of $22 million in Bitcoin to the (Russian) hacker group Black Cat, the systems appear to be mostly running again. But the true cost of the hack is becoming increasingly clear: UnitedHealth revealed an $872 million loss in the first quarter of this year that can be directly attributed to the cyberattack. There are fears that these numbers could escalate further, potentially doubling to $1.6 billion.

Southern Water

In England, one of the country’s largest water suppliers, Southern Water, also fell victim to a ransomware attack. The (Russian) ransomware group Black Basta, which has reportedly extorted more than $100 million in Bitcoin since 2022, gained access to the servers and stole around 750 gigabytes of sensitive data, including scanned ID cards and driver’s licenses.

Southern Water, which supplies fresh water to more than 2.5 million people in southern England, acknowledged the incident but stressed that only a limited portion of its servers were affected and operations were not restricted. Data from 5-10 percent of customers has been stolen, but so far there is no evidence that it is being published on the dark web.

MGM in Las Vegas

In general, 2023 was a very good year for ransomware. According to Chainalysis, $1.1 billion in ransomware ransoms were paid last year. When you consider that the actual costs of operational downtime, delays and maintenance, as in the case of United Health, are significantly higher, you can imagine the immense economic damage that ransomware causes.

One of the most high-profile cases of the past year was the attack on the MGM Resort in Las Vegas in September, which disrupted operations at dozens of Las Vegas casinos. Thousands of gambling machines stopped paying out money, computers shut down, technology failed. While MGM didn’t pay the $30 million the hackers demanded, it lost a total of about $100 million in revenue and paid millions more to rebuild the servers.

“The Com” – toxic masculinity and hacks

Bryan Vorndran of the FBI commented on the MGM hack in an interview that ransomware is now “a problem for the global economy, for the US economy and for the security of the United States.”

Vorndran explains that behind the hack on MGM is a criminal group of English-speaking hackers who specialize in social engineering. They are part of “The Com” culture, which also gave rise to hacks on companies such as Microsoft, Nvidia and Electronic Arts.

“The Com” are several thousand loosely connected people, usually men between 13 and 25, who network via gaming servers and Telegram channels. A toxic masculinity full of sexism, misogyny and racism prevails in the scene, where people boast about criminal successes.

What security authorities are most concerned about is that The Com is connecting young Westerners who speak English fluently and understand how Western society works with Russian ransomware gangs like Black Cat. Russian hackers are providing the software with the latest exploits, while Western young men are compromising the servers of major companies. The loot is then shared.

The Kremlin and the hackers

To make matters worse, Russia completely stopped its already lax cooperation with Western investigators after the Kremlin began to make the mass murder of Ukrainians a raison d’être. For example, the infamous Colonial Pipeline hack, probably the ransomware incident that comes closest to a terrorist attack. It was also the result of interaction between Russian hackers and Western “suppliers”. After the American NSA identified a Russian hacker, he was arrested in Russia in January 2022 after months of negotiations.

But five weeks later – you know what had happened by now – the hacker was released again. For sanctions-plagued Russia, ransomware hackers are likely to represent a solid source of foreign revenue, similar to North Korea. It would not be surprising if the Kremlin works more closely with hackers in the future to combine the pleasant – sabotage of Western companies – with the useful – earning foreign currency.

The threat level is increasing every year and there is little evidence that it will abate. As one NSA analyst puts it: “The level of cybercrime has reached a point where it seems overwhelming. And every year it gets worse. As defenders, it feels like we win every battle but lose the war.”


Leave a Reply