Ransomware payments fell by over 40% in 2022 compared to 2021, with victim organizations increasingly reluctant to pay their extorters, according to new findings by Chainalysis.
In the ransomware section of its 2023 crypto crime report, the blockchain analysis firm found that ransomware attackers extorted $456.8m from victims in 2022. This represents a significant drop from $765.6m in 2021 and $765m in 2020.
Chainalysis acknowledged that the true totals are likely to be higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into its data.
Nevertheless, the company said there is a clear trend of ransomware payments being significantly down. Jackie Koven, head of cyber threat intelligence at Chainalysis told Infosecurity: “After two years of growth in terms of ransomware revenue, we were surprised and encouraged to see that payments are decreasing. We hope to see this trend continue in 2023.”
This trend is primarily a result of victim organizations being less likely to pay extortion demands when hit by ransomware.
Growing Barriers to Making Ransomware Payments
One reason for the increased reluctance is growing government pressure and implications around paying ransomware demands. This has ramped up since the start of the Russia-Ukraine conflict, with many prolific ransomware gangs linked to the Russian state.
This includes Conti, which publicly announced its support for the Kremlin’s invasion in February 2022. Shortly after, it suffered a massive leak of internal data that indicated its association to Russia’s Federal Security Service (FSB).
“For these reasons, many ransomware victims and incident response firms decided that paying Conti attackers was too risky, as the FSB is a sanctioned entity,” stated the report.
While Conti announced its closure in May 2022, many of its former actors are believed to still be active in the cybercrime underworld.
Governments have taken other steps to make ransom payments legally riskier in the past few years, although falling short of outlawing it altogether. This includes advisories being issued by the US government warning organizations about the consequences of paying cyber actors operating under economic sanctions.
Another major factor in victims’ increasing reluctance to pay out is the growing role of cyber insurance, argued the report. It noted that insurers are becoming stricter regarding the areas insurance payments can be used for, so are less likely to cover clients’ ransom payments.
Additionally, insurance firms are demanding improved cybersecurity measures in clients, including actions that allow them to recover quickly from a ransomware attack, such as comprehensive backup systems.
Koven explained: “Government agencies have stopped short of making ransomware payments illegal or even sanctioning specific ransomware strains because in many situations organizations would need to shut down if they can’t pay the ransom.
“Our findings this year suggest that a combination of other best practices – such as security preparedness, sanctions, more stringent insurance policies and the continued work of researchers quietly finding flaws in the encryption – are effective in curbing payments and ransomware actors’ extortions, without outright bans.”
Evolving Ransomware Tactics
The report also highlighted changing tactics used by extortion gangs in response to growing law enforcement activity in this area.
Despite the drop in revenue, Chainalysis highlighted research from Fortinet showing that the number of unique ransomware strains in operation surged in 2022. However, on-chain data found that the vast majority of ransomware revenue went to a small group of strains.
There also appeared to be a regular “rebranding” of ransomware strains in 2022, as threat actors sought to obfuscate their activity. In 2022, the average ransomware strain remained active for just 70 days, representing a huge reduction compared to 153 days in 2021 and 265 days in 2020.
The researchers added that cyber-criminals are moving away from traditional ransomware extortion tactics towards “exfiltration-based” strategies to try and entice more organizations to pay up.
Koven noted: “We’ve also noticed an increase in data extortion events, where data is exfiltrated from a victim’s systems but not encrypted as is typically the last step in ransomware. This exfiltration-based extortion strategy is likely an attempt by threat actors to evade the label of ransomware that might delay or stymie a victim’s ability or willingness to pay the extortion, although we do include these cases in our metrics.”
Ransomware-as-a-Service is Thriving
The report observed that most ransomware strains functioned on the ransomware-as-a-service (RaaS) model, enabling the developers to use the administrator’s malware to carry out attacks in exchange for a small, fixed cut of the proceeds.
This means many affiliates are carrying out attacks for several different strains. Chainalysis expects this trend to continue in 2023.
“What’s clear from our data and research, is the underground economy that fuels the attack killchain for ransomware and extortion continues to thrive and therefore we expect to see the continued sale of access to victim networks and credentials leading to persistent attacks in 2023,” said Koven.