Fewer companies that are infected with ransomware are coughing up extortion payments demanded by hackers, according to research from Chainalysis.
In its findings, the blockchain forensics firm estimated that ransom payments — which are almost always paid in cryptocurrency — fell to $456.8 million in 2022 from $765.6 million in 2021, a 40 per cent drop.
“That doesn’t mean attacks are down, or at least not as much as the drastic drop-off in payments would suggest,” the report said.
“Instead, we believe that much of the decline is due to victim organisations increasingly refusing to pay ransomware attackers.”
Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers have not yet identified.
Ransomware is a type of cyber attack in which hackers encrypt a victim’s data files and demand a payment to unlock them. More recently, ransomware groups have been stealing data, too, threatening to publish it online unless the company pays.
The research from Chainalysis is supported by data from the cyber incident response company Coveware, which disclosed that the number of Coveware’s clients that have paid a ransom after an attack has steadily decreased since 2019, from 76 per cent to 41 per cent in 2022, according to Chainalysis’s research.
One reason that ransom payments may be going down is that it now comes with increasing legal risk, as the US government has been aggressively issuing sanctions against cryptocurrency companies that allegedly enable illegal activity, including laundering ransomware payments.
This means companies could face legal consequences for making ransom payments to hackers.
“One of the biggest factors companies are taking into account when determining whether they should pay a ransom is how risky it would be legally — particularly given that there’s the danger they could be paying a sanctioned entity, which would have severe legal ramifications,” said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis.
In addition, she said, “insurance companies are being much more strict about how and when their insurance payouts can be used — oftentimes eliminating the ability to use them to make ransomware payments altogether”.
The FBI advises companies against making ransomware payments.
Chainalysis research also highlighted shifts in the ransomware marketplace.
For instance, Chainalysis reported that the number ransomware strains in operation exploded in 2022, and it quoted the cybersecurity firm Fortinet’s research showing more than 10,000 unique strains being active in the first half of the year.
Its researchers also found that the lifespan of a ransomware strain has steadily declined, to 70 days in 2022 from 265 in 2020.
Many of the hacking groups operate what is known as ransomware as a service, where a core group of administrators offer their malware strains to “affiliates”, who conduct the attacks and return a fixed cut of the illicit proceeds.
The researchers concluded that affiliates are carrying out attacks using several different ransomware strains. The administrators, meanwhile, rebrand themselves and switch between strains.
“The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred,” said Bill Siegel, chief executive and co-founder of Coveware, as quoted in the Chainalysis report.
“It’s the same criminals, they’re just repainting their get-away cars.”