Ransomware payments will drop by more than 40% in 2022 compared to 2021, and victim organizations are becoming increasingly reluctant to pay extortionists, according to new findings from Chainalysis.
In the ransomware section of the 2023 Crypto Crime Report, a blockchain analysis firm found that ransomware attackers extorted $456.8 million from victims in 2022.
Chainalysis admits that the actual total is likely higher due to cryptocurrency addresses controlled by ransomware attackers that have not yet been identified on the blockchain and embedded in the data. increase.
Nonetheless, the company says there is a clear trend that ransomware payouts are declining significantly, said Jackie Koven, head of cyber threat intelligence at Chainalysis. Information security: “After two years of rising ransomware revenues, we were surprised and encouraged by the decline in payments. We expect this trend to continue in 2023.”
This trend is largely due to victim organizations being less likely to pay extortion demands when hit with ransomware.
Increasing Barriers to Ransomware Payments
One of the reasons for the reluctance is increasing government pressure and influence over ransomware demands. This has increased since the Russian-Ukrainian conflict began, with many ransomware his gangs associated with the Russian state.
This includes Conti, which publicly announced its support for the Kremlin invasion in February 2022. Shortly thereafter, we were hit with a massive leak of internal data showing ties to Russia’s Federal Security Service (FSB).
“For these reasons, many ransomware victims and incident response firms have decided that the FSB is a sanctioned organization, so paying Conti attackers was too risky,” the report said. says.
Conti announced its closure in May 2022, but many of its former attackers are believed to still be active in the cybercrime underworld.
The government has taken other steps in recent years to make ransom payments legally unsafe, but not outright outlawed. This includes recommendations issued by US government warning organizations about the consequences of making payments to cyber attackers operating under economic sanctions.
The growing role of cyber insurance is another major driver of victims’ reluctance to pay, the report argues. Insurers have become more strict about where they can use the money, so they are less likely to cover ransom payments for their clients.
In addition, insurers are demanding better cybersecurity measures for their clients, including measures to help them quickly recover from ransomware attacks, such as comprehensive backup systems.
Koven explains:
“This year’s findings suggest that a combination of other best practices, including security measures, sanctions, tighter insurance policies, and the ongoing work of researchers to silently uncover cryptographic flaws, will help payouts and ransomware actors Suggested to be effective in curbing extortion. Total ban.”
Evolving ransomware tactics
The report also highlights changes in tactics used by extortion gangs in response to increased law enforcement activity in this area.
Despite declining revenues, Chainalysis highlighted Fortinet research that shows the number of unique ransomware strains in operation will surge in 2022. However, on-chain data found that the majority of ransomware revenue was directed to a small group of lineages.
2022 also appears to have seen regular “rebranding” of ransomware stocks as threat actors attempted to obfuscate their activity. In 2022, the average ransomware stock was active for just 70 days, a significant drop compared to 153 days in 2021 and 265 days in 2020.
The researchers added that cybercriminals are moving from traditional ransomware extortion tactics to “disclosure-based” tactics to try to persuade more organizations to pay.
Koven said: Although this extraction-based extortion strategy could be an attempt by threat actors to evade ransomware labels that could delay or impede a victim’s ability or willingness to pay extortion, these Cases are included in our index. “
Ransomware-as-a-Service is flourishing
According to reports, most ransomware works in a Ransomware as a Service (RaaS) model, where developers can use admin malware to carry out attacks, in exchange for a small fixed cut in revenue. .
This means many affiliates are attacking several different stocks, and Chainalysis expects this trend to continue in 2023.
“What is clear from our data and research is that the underground economy that fuels the ransomware and extortion attack kill chain continues to thrive. We expect access to continue to be sold, leading to sustained attacks.” Coven.
