According to Chainalysis analysis, fewer organizations attacked with ransomware are paying the extortion payments sought by hackers. The blockchain forensics group anticipated that ransom payments, which are nearly exclusively made in bitcoin, will fall to $456.8 million in 2022 from $765.6 million in 2021, a 40% decrease. “That doesn’t indicate assaults are down, or at least not as much as the sharp decline in payments would imply,” the paper concluded.
“Instead, we believe that much of the decline is due to victim organisations increasingly refusing to pay ransomware attackers.”
Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers have not yet identified.
Ransomware is a type of cyber attack in which hackers encrypt a victim’s data files and demand a payment to unlock them. More recently, ransomware groups have been stealing data, too, threatening to publish it online unless the company pays.
The research from Chainalysis is supported by data from the cyber incident response company Coveware, which disclosed that the number of Coveware’s clients that have paid a ransom after an attack has steadily decreased since 2019, from 76 per cent to 41 per cent in 2022, according to Chainalysis’s research.
One reason that ransom payments may be going down is that it now comes with increasing legal risk, as the US government has been aggressively issuing sanctions against cryptocurrency companies that allegedly enable illegal activity, including laundering ransomware payments.
This means companies could face legal consequences for making ransom payments to hackers.
“One of the biggest factors companies are taking into account when determining whether they should pay a ransom is how risky it would be legally — particularly given that there’s the danger they could be paying a sanctioned entity, which would have severe legal ramifications,” said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis.
In addition, she said, “insurance companies are being much more strict about how and when their insurance payouts can be used — oftentimes eliminating the ability to use them to make ransomware payments altogether”.
The FBI advises companies against making ransomware payments.
Chainalysis research also highlighted shifts in the ransomware marketplace.
For instance, Chainalysis reported that the number ransomware strains in operation exploded in 2022, and it quoted the cybersecurity firm Fortinet’s research showing more than 10,000 unique strains being active in the first half of the year.
Its researchers also found that the lifespan of a ransomware strain has steadily declined, to 70 days in 2022 from 265 in 2020.
Many of the hacking groups operate what is known as ransomware as a service, where a core group of administrators offer their malware strains to “affiliates”, who conduct the attacks and return a fixed cut of the illicit proceeds.
The researchers concluded that affiliates are carrying out attacks using several different ransomware strains. The administrators, meanwhile, rebrand themselves and switch between strains.
“The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred,” said Bill Siegel, chief executive and co-founder of Coveware, as quoted in the Chainalysis report.
“It’s the same criminals, they’re just repainting their get-away cars.”