Ransomware victims refuse to pay, pocketing attackers’ profits

Man holding head in hands in front of laptop showing collapsing prices
Enlarge / Holding companies, utilities, and hospitals for malware-encrypted data used to be very profitable. But it’s been a tough gig lately, you know?

ifanfoto/Getty Images

Two new studies suggest that ransomware is no longer the profit-making enterprise-wide trap it once was. Profits for attackers’ wallets and the percentage of victims who pay have dropped dramatically in 2022, according to two separate reports.

Chainalysis, a blockchain analytics company that has worked with a number of law enforcement and government agencies, suggests in a blog post that based on payments to cryptocurrency addresses it identified as being linked to ransomware attacks, payments to attackers increased from $766 million in 2021 to $457 million last year. The firm notes that its wallet data does not provide a comprehensive study of ransomware; he had to revise his 2021 total upward by $602 for this report. But data from Chainalysis suggests payouts – if not attacks – have been down since their pandemic peak.

Chainalysis data on ransomware wallets suggests a marked decrease in payouts to attackers over the past year, although the number of attacks may not have fallen as markedly.
Enlarge / Chainalysis data on ransomware wallets suggests a marked decrease in payouts to attackers over the past year, although the number of attacks may not have fallen as markedly.

The Chainalysis post also shows that attackers are switching between malware strains faster, and that better-known attackers are keeping their funds at major cryptocurrency exchanges instead of the illicit and fund-mixing destinations that used to be more popular. at the time of the ransomware boom. This could look like a sign of a mature market with a higher cost of entry. But there’s more to it than the typical economy, Chainalysis suggests.

Small attackers often switch between different ransomware-as-a-service (RaaS) vendors by performing various types of A/B testing on the targets. And specific strains of malware bring different risk factors to ransom negotiations. When Conti, a major ransomware strain, was found to be coordinating with the Kremlin and Russia’s Federal Security Service (FSB), victims had another reason — government sanctions — not to pay. CD Projekt Red, creator of the games Cyberpunk 2077 and the witcherhas been one of the notable resistance fighters.

Conti executives split off and ended up working within a number of other ransomware groups, Chainalysis notes. So while ransomware may look like a huge market with thousands of participants, it is still a small, trackable group of key players that can be monitored.

Coveware's research suggests a gradual downward trend in ransomware payments, minus a spike near the peak of the COVID-19 pandemic.
Enlarge / Coveware’s research suggests a gradual downward trend in ransomware payments, minus a spike near the peak of the COVID-19 pandemic.

Cybersecurity analysis firm Coverware sees similar trendsreporting that paying victims fell from 85% in the first quarter of 2019 to 37% in the fourth quarter of 2022. The company attributes this to investments in security and response planning, improved law enforcement recover funds and arrest of actorsand the cumulative effects of lower payouts pushing ransomware attackers out of the market.

Most of this information matches the Chainalysis report, but Coveware has some startling stats. Average and median ransom payments increased significantly in the last quarter of 2022 compared to the previous quarter. The median size of a ransomware victim has also increased, with a particular spike to reach all-time highs in the last half of 2022. Coveware suggests this is another result of the compression of non-payment of attackers. Targeting large companies allows for greater initial demand, and more companies are trying to re-extort victims, something previously only done by small companies targeting small businesses. “RaaS groups care less than their predecessors about maintaining their reputation,” Coveware’s post explains. “Ransomware actors are primarily driven by economics, and when the economy is dire enough, they will stoop to levels of deception and duplicity to recoup their losses.”

More data, graphs and examples can be found on the blog posts of On-chain analysis and Washing upas first spotted by Dark Reading.

Leave a Comment