Fewer companies that are infected with ransomware are coughing up extortion payments demanded by hackers, according to new research from Chainalysis Inc.
In findings published on Thursday, the blockchain forensics firm estimated that ransom payments — which are almost always paid in cryptocurrency — fell to $456.8 million in 2022 from $765.6 million in 2021, a 40% drop.
“That doesn’t mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest,” according to the report. “Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”
Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers haven’t yet identified.
Ransomware is a type of cyberattack in which hackers encrypt a victim’s data files and demand a payment to unlock them. More recently, ransomware groups have been stealing data too, threatening to publish it online unless the company pays.
The research from Chainalysis is supported by data from the cyber incident response company Coveware, which disclosed that the number of Coveware’s clients that have paid a ransom after an attack has steadily decreased since 2019, from 76% to 41% in 2022, according to Chainalysis’s research.
One reason that ransom payments may be going down is that it now comes with increasing legal risk, as the US government has been aggressively issuing sanctions against cryptocurrency companies that allegedly facilitate illegal activity, including laundering ransomware payments. That means companies could face legal consequences for paying ransom payments to hackers.
“One of the biggest factors companies are taking into account when determining whether they should pay a ransom is how risky it would be legally — particularly given that there’s the danger they could be paying a sanctioned entity, which would have severe legal ramifications,” said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis.
In addition, she said, “insurance companies are being much more strict about how and when their insurance payouts can be used — oftentimes eliminating the ability to use them to make ransomware payments altogether.”
The FBI advises companies against paying ransomware payments.
Chainalysis research also highlighted shifts in the ransomware marketplace.
For instance, Chainalysis reported that the number ransomware strains in operation exploded in 2022, and it quoted the cybersecurity firm Fortinet’s research showing more than 10,000 unique strains being active in the first half of the year. Its researchers also found that the lifespan of a ransomware strain has steadily declined, to 70 days in 2022 from 265 in 2020.
Many of the hacking groups operate what is known as ransomware as a service, where a core group of administrators offer their malware strains to “affiliates,” who conduct the attacks and return a fixed cut of the illicit proceeds.
The researchers concluded that affiliates are carrying out attacks using several different ransomware strains. The administrators, meanwhile, rebrand themselves and switch between strains.
“The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundreds,” said Bill Siegel, chief executive officer and co-founder of Coveware, as quoted in the Chainalysis report. “It’s the same criminals, they’re just repainting their get-away cars.”
Siegel didn’t respond to a request for comment.
Photo: Computer code displayed on screens arranged in Danbury, U.K., on Thursday, Jan. 7, 2021. In the spring, hackers managed to insert malicious code into a software product from an IT provider called SolarWinds Corp., whose client list includes 300,000 institutions. Photographer: Chris Ratcliffe/Bloomberg