Ransomware victims refuse to pay, reducing attackers’ profits

Ransomware victims refuse to pay, reducing attackers’ profits

Man holding head in hands in front of laptop showing falling prices
Enlarge / Robbing corporations, utilities and hospitals for data encrypted with malware used to be quite profitable. But it’s a tough gig lately, you know?

ifanfoto/Getty Images

Two new studies suggest that ransomware is no longer as lucrative on an enterprise scale as it used to be. Profits to attacker wallets and the percentage of paying victims fell sharply in 2022, according to two separate reports.

Chainalysis, a blockchain analytics firm that has worked with various government and law enforcement agencies, suggests in a blog post that based on payments to cryptocurrency addresses it identified as being connected to ransomware attacks, payments to attackers fell from $766 million in 2021 to $457 million last year. The firm notes that its wallet data does not provide a comprehensive study of the ransomware; had to revise his 2021 total upwards of $602 for this report. But Chainalysis data suggests payments, if not attacks, have declined since their pandemic peak.

Chainalysis data from ransomware wallets suggests a marked decline in payments to attackers last year, though the number of attacks may not have dropped that much.
Enlarge / Chainalysis data from ransomware wallets suggests a marked decline in payments to attackers last year, though the number of attacks may not have dropped that much.

The Chainalysis post also shows attackers switching between malware strains more quickly, with the most notorious attackers keeping their funds on major cryptocurrency exchanges rather than the illicit and mixed-fund destinations that were more popular in the days of ransomware boom. This could seem like a sign of a mature market with a higher cost of entry. But there is more to it than the typical economy, Chainalysis suggests.

Smaller attackers often switch between different ransomware-as-a-service (RaaS) providers and perform various types of A/B tests on targets. And specific strains of malware bring different risk factors to ransom negotiations. When Conti, a major ransomware strain, was found to be coordinating with the Kremlin and Russia’s Federal Security Service (FSB), victims had another reason, government sanctions, for not paying. CD Projekt Red, creator of the games cyberpunk 2077 Y The WizardIt was one of the notable redoubts.

Conti’s leaders split up and ended up working within other ransomware groups, Chainalysis notes. So while ransomware may seem like a huge market with thousands of participants, it’s still a small, traceable group of major players that can be monitored.

Coveware's research suggests a gradual downward trend in ransomware payments, minus a spike near the height of the COVID-19 pandemic.
Enlarge / Coveware’s research suggests a gradual downward trend in ransomware payments, minus a spike near the height of the COVID-19 pandemic.

Cybersecurity analytics firm Coveware is seeing similar trends, reporting that paying victims fell from 85 percent in Q1 2019 to 37 percent in Q4 2022. The firm attributes this to investments in security and response planning, improvements in recovery of funds by law enforcement and arrest of actors, and the combined effects of fewer payments that push ransomware attackers out of the market.

Most of that lines up with the Chainalysis report, but Coveware has some amazing statistics. Average and median ransom payments increased significantly in the last quarter of 2022 from the previous quarter. The average size of a ransomware victim has also increased, with a particular spike to record levels in the last half of 2022. Coveware suggests this is another result of attacker payment restriction. Targeting larger companies allows for more initial demand, and more companies try to extort victims again, something previously only practiced by smaller companies targeting smaller companies. “RaaS pools care less than their predecessors about maintaining their reputations,” the Coveware post explains. “Ransomware actors are first and foremost driven by the economy, and when the economy is dire enough, they will stoop to levels of deceit and duplicity to recoup their losses.”

More data, charts, and examples can be found in the Chainalysis and Coveware blog posts, as first spotted by Dark Reading.

Leave a Reply

Your email address will not be published. Required fields are marked *