Ransomware Revenues Dropped by 40% because Victims Refuse to pay

Ransomware Income Dropped

Ransomware revenue (from ransomware attacks) has fallen from $765.6 million in 2021 to $456.8 million in 2022, according to Chainalysis blockchain analysts.

Experts attribute this drop of more than 40% to many factors, but the main reason is simple: more and more victims simply refuse to pay hackers.

Read also: Huge Ransomware List by Gridinsoft Research.

The researchers note that they cannot know about all the wallets used by cybercriminals, but payments clearly show a significant decrease compared to the peak during the COVID-19 pandemic.

These findings are supported by Coveware researchers, a company that helps organizations respond to ransomware attacks. According to them, the percentage of companies that paid a ransom in 2022 fell to 41% (compared to 50% in 2021 and 70% in 2020).

Ransomware Income Dropped

Coveware researchers attribute the drop in attacker revenues to companies’ investment in security and incident response planning, improvements in law enforcement that are increasingly returning victims’ funds and arresting criminals, and the overall effect of fewer payments pushing ransomware out of the market.

Ransomware Income Dropped

At the same time, it is noted that average and median buyouts increased significantly in the last quarter of 2022 compared to the previous quarter. The average size of a ransomware victim company has also grown, especially in the second half of 2022.

Ransomware Income Dropped

Ransomware Income Dropped

Coveware suggests that this is also a consequence of the fact that attackers have become less likely to pay: attacks on larger companies provide hackers with the opportunity to demand larger ransoms.

However, this does not mean that the number of attacks has decreased. At least not as much as one might think due to the sharp cut in payments. Instead, we believe that the decline in profits is mainly due to the fact that victim organizations increasingly refuse to pay ransomware.Chainalysis said in a report.

The researchers also note that last year the Conti hack group, which was the leader of this “market”, broke up, after which its members moved to a number of other groups. And while ransomware attacks may look like a huge “market” with thousands of participants, it is actually not a very large area, the group of main participants of which can still be tracked.

Ransomware Income Dropped

We have seen again and again how many affiliates carry out attacks against several different strains of ransomware. And while dozens of types of ransomware could technically be active during 2022, many of the attacks attributed to these malware were likely carried out by the same affiliates.the experts explain.

Supporting this theory is the fact that in 2022, ransomware remained active for an average of 70 days, which is much less compared to 153 days in 2021 and 265 days in 2020. Researchers attribute this to the fact that attackers seek to hide their activity and work faster, since many of them work with several strains of malware at once.

Ransomware Income Dropped

In addition, another consequence of what is happening has been a change in the money laundering schemes used by extortionist groups. With law enforcement increasingly shutting down cryptocurrency exchanges and mixer services, hackers are increasingly turning to unnamed major exchanges to launder stolen funds. So, according to Chainalysis, extortionists now send up to 48.3% of all funds received to large exchanges.

Most of the ransomware funds are concentrated on a few offshore exchanges. But the use of large legitimate exchanges by ransomware groups to cash out ransoms provides law enforcement with the ability to work with these exchanges to freeze and seize funds. The decrease in the use of marketplaces on the dark web for money laundering is associated with the closure last year of the largest dark web marketplace, Hydra.analysts said.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *