The amount of money paid to ransomware attackers dropped significantly in 2022, and not because the number of attacks fell.
It’s that more victims are refusing to pay the ransoms, blockchain research firm Chainalysis said in a report Thursday.
They estimate that since 2019, victim payment rates have fallen from 76 percent to just 41 percent. For context, that number was 50 percent in 2021 by their figures.
Chainalysis data indicates that total ransomware revenue fell to at least $456.8 million last year, a 40.3 percent drop from the $765.6 million in 2021, and “the evidence suggests that this is due to victims’ increasing unwillingness to pay ransomware attackers.”.
To be fair, the research firm’s data is estimate-only. There are cryptocurrency sites controlled by ransomware groups that have not yet been identified on the blockchain and folded into Chainalysis’ data.
Pointing to work done by cybersecurity firm Recorded Future on collecting data from ransomware groups’ data leak sites, the number of attacks between 2021 and 2022 fell by 10.4 percent, the researchers wrote. Still, there is a significant gap between the percentage drop in ransomware attacks and that of ransom payments made.
So why are companies shying away from paying the ransom? There are a number of factors, chief among which is that paying can carry heavy legal ramifications.
For example, in 2021, the US Treasury Department, through its Office of Foreign Assets Control (OFAC), outlined potential sanctions to companies paying ransoms. In addition, cybersecurity insurance companies, which end up reimbursing companies for the ransom payments, are tightening who they will insure and what the money can be used for.
They also are demanding that before an insurance policy is issued or renewed, the enterprise must show they have the tools in place – strong cybersecurity policies like endpoint data and response, multi-factor authentication (MFA) and backup procedures – to protect against ransomware. Companies with these tools are less likely to be severely hurt by an attack or pay the ransom.
Theresa Le, chief claims officer at Cowbell, a cyber-insurance firm for SMBs, told The Register that “with controls such as viable and tested backups, employee training on phishing emails, and the systematic deployment of MFA, many businesses have either thwarted ransomware attacks or significantly reduced the severity of a ransomware incident by having a recovery strategy that does not include making the extortion payment.”
Darren Guccione, co-founder and CEO of cybersecurity firm Keeper Security, noted that paying a ransom is not only potentially illegal and costly, there is no guarantee the victim will get their data decrypted or returned.
“Further, cybercriminals have often received payment and subsequently placed stolen files on the dark web, to further monetize their value,” Guccione told The Register. “Generally, a payment absent proper responsive cybersecurity protection increases the probability of a future attack, as cybercriminals now know the organization will pay the ransom.”
Others offered up another factor playing into the drop of ransomware payments: the reluctance of some victims to admit they paid.
Scott Scher, senior cyber intelligence analyst at threat intelligence firm Intel 471, told The Register that ransomware attacks and payment are largely unreported, which means governments and private sector companies don’t have complete visibility into the issue.
“Victim’s unwillingness to disclose a ransomware payment to the public has always been an important factor when it comes to understanding the number and success of ransomware incidents,” Scher said. “However, it is unlikely that this unwillingness to disclose payments publicly has significantly changed in the last few years.”
The ransomware space continues to be in flux with the continued rise of ransomware-as-a-service (RaaS) – which makes it easier for less skilled miscreants to launch attacks – and a shift toward extortion bystealing data and holding it hostage rather than simply encrypting it and demanding payment in returned for a decryption key.
SonicWall in October 2022 said that it saw a 31 percent drop in ransomware attacks in the first nine months of the year, but that also was coming off record numbers recorded in 2021. CEO Robert VanKirk at the time told The Register there was an “unstable cyberthreat landscape” fed by expanded attack surfaces, growing numbers of threats, and a tense geopolitical environment that included the Russia’s attack on Ukraine.
The CEO also noted that even those the numbers in 2022 were down, they were still higher than in any year but 2021. ®