Ransomware victims have seemingly had enough of extortion, with ransomware revenue to attackers down 40% to $456.8 million in 2022.
Blockchain intelligence company Chainalysis shared data in a Jan. 19 report, noting that the numbers do not necessarily mean that the number of attacks is lower than the previous year.
Instead, Chainalysis noted that companies have been forced to tighten cybersecurity measures while ransom victims have become increasingly reluctant to pay attackers their demands.
The findings were part of the Chainalysis 2023 Crypto Crime Report. Ransomware revenue last year was a whopping $602 million at the time of the 2022 report, which later climbed to $766 million as more cryptocurrency wallet addresses were identified.
Chainalysis added that the nature of blockchain means it’s increasingly difficult for attackers to get away with it:
“Despite the best efforts of ransomware attackers, the transparency of the blockchain allows investigators to detect these rebranding efforts virtually as soon as they occur.”
Interestingly, ransomware attackers resorted to centralized cryptocurrency exchanges 48.3% of the time to redistribute funds – up from 39.3% in 2021.
Chainalysis also noted that mixer protocols, such as the now OFAC-approved Tornado Cash, increased from 11.6% to 15.0% in 2022.
On the other hand, “high-risk” cryptocurrency exchange fund transfers fell from 10.9% to 6.7%.
Victims refusing to pay
In insights shared with Chainalysis, threat analyst Allan Liska of Recorded Future said that the US Office of Foreign Assets Control’s (OFAC) September 2021 advisory may partially cause revenue to decline:
“With the threat of sanctions looming, there is the added threat of legal consequences for paying [ransomware attackers].”
A statistical analysis by Bill Siegel, CEO of ransomware incident response firm Coveware, also indicated that ransomware victims are becoming less willing to pay:
Cybersecurity insurers are also tightening their underwriting standards, Liska explained:
“Cyber insurance has really taken the lead in tightening not only who they insure, but also what insurance payouts can be used for, so they’re much less likely to allow their clients to use an insurance payout to pay a ransom.”
Many firms will not renew policies unless insured systems are comprehensively backed up, integrate endpoint detection and response security, and employ multiple authentication mechanisms, Siegel noted.
The drop in revenue came despite an explosion in the number of unique ransomware strains in circulation, according to data shared by cybersecurity firm Fortinet.
However, Siegel explained that while competition in the ransomware world appears to be growing, many of the new strains are being carried out by the same organizations:
“The number of core individuals involved in ransomware is incredibly small compared to perception, perhaps a few hundred […] They’re the same criminals, they’re just repainting their getaway cars.”
Chainalysis also explained that the “real totals” for the numbers in the report are likely to be much higher, as not every cryptocurrency address controlled by the ransomware attackers has been identified.