Ransomware victims seem to have had enough of the extortion, as ransomware revenue for attackers decreased by 40% to $456.8 million in 2022.
Blockchain intelligence firm Chainalysis shared the data in a report on Jan. 19, noting that the numbers do not necessarily mean that the number of attacks is down year-on-year.
Instead, Chainalysis notes, companies have been driven to bolster cybersecurity measures, while ransomware victims are increasingly reluctant to pay the attackers’ demands.
The findings were part of Chainalysis’ 2023 Cryptocurrency Crime Report. Last year, ransomware revenue was $602 million at the time of the 2022 report, which later rose to $766 million when additional cryptocurrency wallet addresses were identified.
Chainalysis added that the nature of the blockchain means that attackers are finding it increasingly difficult to get rid of it:
“Despite the best efforts of ransomware attackers, the transparency of the blockchain allows investigators to identify such remediation efforts almost as soon as they occur.”
Interestingly, ransomware attackers turned to centralized cryptocurrency exchanges 48.3% of the time when reallocating funds — up from 39.3% in 2021.
Chainalysis also noted that the use of mixing protocols such as the now approved Tornado Cash increased from 11.6% to 15.0% in 2022.
On the other hand, money transfers to “high-risk” cryptocurrency exchanges decreased from 10.9% to 6.7%.
Victims who refuse to pay
In insights shared with Chainalysis, threat intelligence analyst Alan Leska of Recorded Future said OFAC’s September 2021 advisory could be partly responsible for the revenue decline:
With the threat of penalties looming, there is the added threat of legal consequences for paying [atacantes de ransomware]. “
A statistical analysis conducted by Bill Siegel, CEO of Coveware Ransomware Incident Response, indicated that ransomware victims are becoming less reluctant to pay:
Leska explained that cybersecurity firms are also tightening their underwriting criteria:
“Insurance on the Internet has taken the lead in restricting not only who they will insure, but also what insurance payments can be used for, so they are less likely to allow their customers to use insurance payments to pay the ransom.”
Siegel noted that many companies do not renew policies unless secured systems are comprehensively backed up, endpoint detection and response (EDR) security is integrated, and multiple authentication mechanisms are used.
The decline in revenue came despite an explosion in the number of unique types of ransomware in circulation, according to cybersecurity firm Fortinet.
However, Siegel explained that while competition in the ransomware world appears to be increasing, many of the new strains are run by the same organizations:
The number of key individuals involved in the ransomware is very small for realization, perhaps a few hundred […] They are the same criminals, they just repaint their cars.
Chainalysis also explained that the “actual totals” of the numbers in the report are likely to be much higher because not all cryptocurrency addresses controlled by the ransomware attackers have been identified.