Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Victims' Known Ransom Payments to Ransomware Groups Decline

Evidence Suggests Victims Ponied Up 40% Less in Ransom Payments, Researchers Say
Victims' Known Ransom Payments to Ransomware Groups Decline
Image: Chainalysis, based on latest available blockchain intelligence

The total amount of ransom payments being sent by victims to ransomware groups appears to have taken a big dip last year.

See Also: 5 Requirements for Modern DLP

Blockchain intelligence firm Chainalysis reports that based on currently available data, "2022's total ransomware revenue fell to at least $456.8 million in 2022 from $765.6 million in 2021 - a huge drop of 40.3%."

It adds that "evidence suggests that this is due to victims' increasing unwillingness to pay ransomware attackers," rather than a decline in the number of ransomware attacks.

Indeed, according to multiple sources, the number of ransomware attacks hasn't declined in recent years, or at least not by much.

One caveat with the Chainalysis findings is that they are based on tracing cryptocurrency flows to wallets known to be operated or owned by criminals. The firm regularly updates its past estimates of cryptocurrency flow volumes as new information comes to light, such as when police bust a cybercrime group or darknet market and share cryptocurrency wallet addresses and other intelligence.

Early last year, for example, the firm reported seeing $602 million in ransomware payments for 2021, which it has so far revised up to $766 million.

But Chainalysis' findings square with those of security firm Coveware. The ransomware incident response company in October reported that fewer ransomware victims were paying a ransom.

How Often Did a Ransomware Victim Pay?

2109 2020 2021 2022
Paid 76% 70% 50% 41%
Did Not Pay 24% 30% 50% 59%
Source: Coveware, based on thousands of cases it worked

Coveware said this was due in part to there being a "decline in quality and reliability" of decryption tools being furnished by attackers, which led more victims to eschew paying (see: Ransomware: 'Amateur' Tactics Lead Fewer Victims to Pay).

Ransomware Changes

Analyzing the ransomware landscape in 2022, Chainalysis also found:

  • More strains: The number of active ransomware strains "reportedly exploded" last year. Fortinet saw more than 10,000 strains in the first half of last year alone, but the lion's share of ransom proceeds still flow to a relatively small number of groups.
  • Shorter lifespan: While a ransomware strain had an average lifespan of 153 days in 2021, that dropped to just 70 days last year, potentially because attackers attempted to better "obfuscate their activity" by churning out new types of malware.
  • Money laundering changes: Ransomware increasingly used "mainstream, centralized exchanges" to launder funds instead of high-risk exchanges or darknets for money laundering, although the use of mixers increased slightly.
  • Small talent pool: "While many strains are active throughout the year, the actual number of individuals who make up the ransomware ecosystem is likely quite small."

Allegiance in the cybercrime realm seems to remain cheap, at least for affiliates - or business partners - of ransomware groups, who in effect lease attack code from operators. Security experts have long tracked how affiliates work with different groups, sometimes at the same time. Some affiliates appear to use different strains based on target selection. Although affiliates typically receive up to 70% of every ransom paid, some may negotiate different profit-sharing arrangements with operators.

Last year, more affiliates moved away from working with big names, fearing they paint too much of a target on their backs. In addition, source code was leaked from Conti, Hello Kitty and LockBit, meaning would-be attackers have multiple options for rolling out their own ransomware and not having to split the proceeds with a ransomware-as-a-service operation, which typically keeps 30% of every ransom paid (see: Ransomware Ecosystem: Big-Name Brands Becoming a Liability).

Last October, Microsoft reported that the Vice Society group has been seen using two different ransomware-as-a-service offerings - Quantum Locker and BlackCat, aka Alphv - as well as off-the-shelf ransomware Zeppelin and Hello Kitty, for which source code is publicly available for free.

Despite such shifts, Chainalysis reports that the majority of ransomware proceeds still appear to be flowing to ransomware-as-a-service operations.

Conti 'Retires' But Players Carry On

Source: Chainalysis

One major change last year was big name Conti retiring in May after its disastrous public backing for Russia's war in Ukraine, which was followed by fewer victims opting to pay.

Chainalysis says the precise culprit was likely the leaks of Conti communications last February that highlighted apparent ties between its chief, "Stern," and Russia's Federal Security Service, or FSB. While Conti was never sanctioned by the U.S. Department of Treasury, the FSB has been sanctioned, and its apparent ties to Conti may have been sufficient to scare would-be ransom payers away.

Chainalysis says many Conti affiliates began working with new groups after victims stopped paying.

Last June, Microsoft detailed two different affiliate groups working with the BlackCat - aka Alphv - ransomware operation: DEV-0237, which had previously used Ryuk, Conti and Hive; and DEV-0504, which had used Ryuk, REvil - aka Sodinokibi - BlackCat predecessor BlackMatter, and Conti.

Conti leader Stern also remained active, Chainalysis says, transacting "with addresses linked to strains like Quantum, Karakurt, Diavol and Royal in 2022 following Conti's demise." At least some of those appear to be brands spun off by Conti before it retired.

So while ransomware groups came and went in name last year, many of the individuals involved appear to be hanging on - and cashing in.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.