Cointime

Download App
iOS & Android

Ransomware Revenue Down As More Victims Refuse to Pay

Validated Project

2022 was an impactful year in the fight against ransomware. Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before.

As always, we have to caveat these findings by noting that the true totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data. When we published last year’s version of this report, for example, we had only identified $602 million in ransomware payments in 2021. Still, the trend is clear: Ransomware payments are significantly down.

However, that doesn’t mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest. Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers. We’ll discuss this phenomenon more below, but first, let’s look more at general ransomware trends in 2022.

2022 ransomware by the numbers

Despite the drop in revenue, the number of unique ransomware strains in operation reportedly exploded in 2022, with research from cybersecurity firm Fortinet stating that over 10,000 unique strains were active in the first half of 2022. On-chain data confirms that the number of active strains has grown significantly in recent years, but the vast majority of ransomware revenue goes to a small group of strains at any given time. We do, however, see turnover throughout the year among the top-grossing strains.

Likewise, ransomware lifespans continue to drop. In 2022, the average ransomware strain remained active for just 70 days, down from 153 in 2021 and 265 in 2020. As we’ll explore below, this activity is likely related to ransomware attackers’ efforts to obfuscate their activity, as many attackers are working with multiple strains.

When it comes to money laundering, the data indicates that most ransomware attackers send funds they’ve extorted to mainstream, centralized exchanges.

In fact, the share of ransomware funds going to mainstream exchanges grew from 39.3% in 2021 to 48.3% in 2022, while the share going to high-risk exchanges fell from 10.9% to 6.7%. Usage of illicit services such as darknet markets for ransomware money laundering also decreased, while mixer usage increased from 11.6% to 15.0%.

Sizing up the ransomware ecosystem

The constant turnover amongst top ransomware strains and appearance of new ones would suggest that the ransomware world is a crowded one, with a large number of criminal organizations competing with one another and new entrants constantly coming onto the scene. However, looks can be deceiving. While many strains are active throughout the year, the actual number of individuals who make up the ransomware ecosystem is likely quite small.

One place we see this is in affiliate overlap. Most ransomware strains function on the ransomware-as-a-service (RaaS) model, in which the developers of a ransomware strain allow other cybercriminals, known as affiliates, to use the administrator’s malware to carry out attacks in exchange for a small, fixed cut of the proceeds. However, we’ve seen time and time again that many affiliates carry out attacks for several different strains. So, while dozens of ransomware strains may technically have been active throughout 2022, many of the attacks attributed to those strains were likely carried out by the same affiliates. We can think of it as the gig economy, but for ransomware. A rideshare driver may have his Uber, Lyft, and Oja apps open at once, creating the illusion of three separate drivers on the road — but in reality, it’s all the same car.

Microsoft Security discussed an example of this in a blog post earlier this year discussing one prolific affiliate group, whom they’ve labeled DEV-0237, who has carried out attacks using the Hive, Conti, Ryuk, and BlackCat ransomware strains. Microsoft Security researchers were able to identify this example of affiliate overlap by analyzing the technical details of how the attacks were carried out, but we can also identify examples of affiliate overlap on the blockchain. On the Chainalysis Reactor graph below, we see an affiliate whose wallet has received large sums from the Dharma, Conti, and BlackCat ransomware strains at different times, which means the affiliate has carried out attacks for all three strains.

Conti is a particularly interesting case for observing how not just affiliates, but administrators as well rebrand themselves and switch between strains. Conti was a prolific ransomware strain for a few years, taking in more revenue than any other variant in 2021. But in February, immediately following Russia’s invasion of Ukraine, the Conti team publicly announced its support for Vladimir Putin’s government. Soon after, a cache of Conti’s internal communications leaked, and indicated connections between the cybercrime organization and Russia’s Federal Security Service (FSB).

For these reasons, many ransomware victims and incident response firms decided that paying Conti attackers was too risky, as the FSB is a sanctioned entity despite Conti itself not being one. Conti responded by announcing its closure in May, but soon after, much of the Conti team split up into smaller groups and continued their activity. Conti’s closure drove many affiliates to conduct attacks for other strains whose ransoms victims were more likely to pay, as we showed above. We can see another example of this activity below.

Here, we see a Conti affiliate who began working with the Suncrypt, Monti, and Lockbit strains.

But it isn’t just Conti affiliates who have rebranded. On-chain data shows that core administrators have also begun to work with and launch other strains, including the ransomware group’s leader, who goes by the alias Stern. The Reactor graph below shows that Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.

Notice that in many cases, the ransomware attackers re-used wallets for multiple attacks launched nominally under other strains. This on-chain activity confirms previous research from cybersecurity firm AdvIntel revealing plans by Conti’s core leadership to shift operations to some of the strains seen above. It’s a great example of how blockchain analysis in tandem with technical analysis of ransomware code and attack patterns can identify offshoots of ransomware strains that have been deemed too risky to pay.

With this data in mind, can Conti truly be said to have shut down if its leader, affiliates, and other members are still successfully carrying out ransomware attacks under new brand names? The data suggests that it may be more productive to think of the ransomware ecosystem not as a collection of distinct strains, but instead as a small group of hackers who rotate brand identities regularly. The fluidity with which affiliates move between ransomware brands makes the sector appear larger than it really is. “The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred,” said Bill Siegel, CEO and co-founder of ransomware incident response firm Coveware. “It’s the same criminals, they’re just repainting their get-away cars.” Siegel indicated this activity has increased of late, and that affiliates are now much more likely to switch strains frequently rather than stick with one for an extended period of time. But, despite ransomware attackers’ best efforts, the transparency of the blockchain allows investigators to spot these rebranding efforts virtually as soon as they happen.

The big story: Ransomware victims are paying less frequently

Based on the data available to us now, we estimate that 2022’s total ransomware revenue fell to at least $456.8 million in 2022 from $765.6 million in 2021 — a huge drop of 40.3%. However, the evidence suggests that this is due to victims’ increasing unwillingness to pay ransomware attackers rather than a decline in the actual number of attacks. We spoke with a number of ransomware experts to learn more.

The first question that jumps to mind: How can we actually know fewer victims are paying, given the lag we’ve noted previously in how long it takes to identify ransomware addresses, and the massive underreporting of attacks by victims? Michael Phillips, Chief Claims Officer of cyber insurance firm Resilience, indicated that businesses shouldn’t rest easy just because ransomware revenue is down. “Data from claims across the cyber insurance industry show that ransomware remains an increasing cyber threat to businesses and enterprises. There have, however, been signs that meaningful disruptions against ransomware actor groups are driving lower than expected successful extortion attempts,” he told us. Phillips cited among those disruptions the Russia-Ukraine war and the increased pressure on ransomware gangs from western law enforcement, including arrests and recovery of extorted cryptocurrency.

Recorded Future intelligence analyst and ransomware expert Allan Liska, also known as the Ransomware Sommelier, pointed to the data teams like his collect from data leak sites (DLS), where many ransomware attackers post data stolen from victims in an effort to pressure them into paying. “Most organizations scrape [DLS] data to collect a baseline victimology. By that measure, ransomware attacks decreased between 2021 and 2022 from 2865 to 2566 — a 10.4% drop,” said Liska.

If we take DLS victim leaks as a proxy for the number of attacks, there’s still a huge gap between a 10.4% drop in leaks and a 40.3% drop in overall ransomware revenue. Instead, our conversations with representatives of cyber insurance and incident response firms suggest much of the revenue drop is explained by victims paying less frequently. Bill Siegel of Coveware provided us with statistics on the probability of a ransomware victim to pay a ransom based on his firm’s client matters over the last four years:

The trend is highly encouraging — since 2019, victim payment rates have fallen from 76% to just 41%. But what exactly accounts for this shift? One big factor is that paying ransoms has become legally riskier, especially following an OFAC advisory in September 2021 on the potential for sanctions violations when paying ransoms. “With the threat of sanctions looming, there’s the added threat of legal consequences for paying [ransomware attackers],” said Liska. Bill Siegel agreed, telling us that his firm refuses to pay ransoms if there’s even a hint of connection to a sanctioned entity.

Another big factor is the outlook of cyber insurance firms, who are usually the ones reimbursing victims for ransomware payments. “Cyber insurance has really taken the lead in tightening not only who they will insure, but also what insurance payments can be used for, so they are much less likely to allow their clients to use an insurance payout to pay a ransom,” said Liska. Phillips echoed this sentiment in his remarks to us. “Today, companies have to meet stringent cybersecurity and backup measures to be insured for ransomware coverage. These requirements have proven to actively help companies bounce back from attacks rather than pay ransom demands. An increased focus on underwriting against factors that contribute to ransomware has led to lower incident costs for companies and contributed to a decreasing trend in extortion payments…”

Siegel agreed that cyber insurance firms’ demand for better cybersecurity measures is a key driver of the trend toward less frequent ransom payments, and described some of the measures they push clients to implement. “A lot of the insurance carriers are tightening underwriting standards, and will not renew a policy unless the insured has comprehensive backup systems, uses EDR, and has multi-authentication. This has driven a lot of companies to become more secure,” said Siegel. Liska agreed that cybersecurity measures have improved greatly over the past few years. “Back in 2019 when big game hunting and RaaS really started taking off, a lot of security professionals really emphasized the importance of backups. Security professionals saying something and organizations implementing it can take a while. While having an effective backup solution doesn’t stop ransomware attacks and doesn’t help with data theft, it does give victims more options so they aren’t forced to pay,” he said.

Siegel described to us how companies with well segmented yet highly available data backups are much less likely to experience material business impact as a result of the attack, and said that they regularly advise clients not to pay unless the payment is economically justified due to the severity of the impact being experienced. Liska also emphasized that backups aren’t a magic bullet, noting that the data recovery process can take months and leave ransomware victims vulnerable to follow-up attacks during this process, as we saw in the case of Australian logistics firm Toll Group, which suffered two attacks in three months in 2022.

Of course, the best-case scenario is for organizations not to fall victim to ransomware attacks in the first place. To that end, Liska recommends organizations run recurring tabletop exercises, in which all relevant teams — cybersecurity, networking, IT, server administration, backup teams, PR, finance, etc. — meet with leadership to establish how the organization can keep itself secure, identify vulnerabilities, and understand who’s responsible for all aspects of security. “Having a realistic picture of where your organization stands and what its weaknesses and strengths are will better prepare everyone in the event your organization is hit with a ransomware attack, and it also makes leadership aware of where it needs to invest to better secure the network, ahead of an attack,” said Liska.

If more organizations can implement these best practices the way they have data backups and other security measures, we’ll hopefully see ransomware revenue continue to fall in 2023 and beyond.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.

Read more: https://blog.chainalysis.com/reports/crypto-ransomware-revenue-down-as-victims-refuse-to-pay/

Comments

All Comments

Recommended for you

  • Bitcoin Layer 2 Project Bitlayer Launches $50 Million Ecosystem Incentive Program

    Bitlayer, a Bitcoin Layer2 infrastructure project based on the BitVM paradigm, announced the launch of a $50 million ecological incentive plan to promote the development of its mainnet ecosystem. The first phase of the incentive program, named "Ready Player One," will begin registration at 09:00 UTC on March 29th, 2024 and end at 09:00 UTC on April 29th, 2024, and will officially start after the Bitlayer mainnet is launched. Specific rules and reward allocation guidelines for the event will be disclosed in subsequent announcements. Through the "Ready Player One" and other ecological incentive plans, Bitlayer aims to accelerate ecosystem development and incentivize projects to deploy on the Bitlayer mainnet. In addition, Bitlayer promises comprehensive ecosystem support for all projects, including potential foundation and institutional investment, initial liquidity support, comprehensive product development resources, guidance and investment opportunities from top incubators, support from the Bitcoin community and OGs, ecosystem cooperation, and co-creation.

  • Stablecoin protocol Ethena on BNBChain has been hacked

    The stablecoin protocol Ethena on BNBChain has been hacked, causing a loss of 480 BNB, worth about $290,000, as monitored by PeckShieldAlert.

  • Singapore-based Bitcoin Layer2 Project BEVM Raises Tens of Millions in Seed and Series A Funding

    Singapore-based Bitcoin Layer2 project, BEVM, has completed its seed round and part of its Series A round, raising tens of millions of USD from over 20 investors including RockTree Capital, Waterdrip Capital, and ViaBTC Capital. The project's Series A valuation has reached $200m and aims to accelerate its international development and roll-out. BEVM is an EVM-compatible Bitcoin Layer2 network built on Taproot Consensus, which uses $BTC as gas and aims to bring 10% of $BTC into its Layer2 network environment. The project's mainnet is scheduled to launch on March 28th and has already implemented decentralized Bitcoin cross-chain custody services through Schnorr Signature, MAST, and Bitcoin SPVs.

  • Ethereum on-chain DEX transaction volume exceeded $2.1 billion yesterday

    According to DeFiLlama data, the trading volume of DEX on the Ethereum blockchain on March 28th was 2.111 billion US dollars, ranking first. The daily trading volume of DEX on the BSC chain was 1.398 billion US dollars, ranking second; the daily trading volume of DEX on the Solana chain was 1.097 billion US dollars, ranking third.

  • Taiwan’s Ministry of Interior has approved the establishment of a cryptocurrency industry association

    Taiwan's Ministry of the Interior has approved the application of the local cryptocurrency industry to establish an industry association. The local cryptocurrency industry working group, which was established last year to prepare for the establishment of the industry association, said that the working group now needs to complete all preparations and officially establish the cryptocurrency industry association by the end of June as required by the government. The working group is currently composed of 22 cryptocurrency companies, including Taiwan's major exchanges such as MaiCoin and BitoPro. The working group pointed out that ACE Exchange has been expelled from the group because the troubled exchange is under investigation by prosecutors for improper behavior by its former executives.

  • Grayscale ETH Trust negative premium rate is 22.77%

    According to ChainCatcher news and Coinglass data, the Grayscale Bitcoin Trust Fund (GBTC) has a premium rate of 0.02%. The Grayscale ETH Trust has a negative premium rate of 22.77%, and the ETC Trust has a negative premium rate of 36.58%.In addition, the Grayscale BCH Trust has a premium rate of 238.13%, the LTC Trust has a premium rate of 380.60%, the SOL Trust has a premium rate of 515.93%, the MANA Trust has a premium rate of 726.65%, the LINK Trust has a premium rate of 713.66%, and the FIL Trust has a premium rate of 3057.89%.

  • Net inflows into spot Bitcoin ETFs reached $179 million on March 28

    Spot on Chain, a blockchain data monitoring platform, posted on social media that the net inflow of spot bitcoin ETF on March 28th reached 179 million US dollars, a decrease of 26.9% compared to the previous trading day. After 54 trading days, the total net inflow accumulated to 12.13 billion US dollars, which is the level before the last fully negative trading week. BlackRock's iShares Bitcoin ETF (IBIT) and Grayscale's GBTC both saw a significant slowdown in daily inflows and outflows on March 28th.

  • Bitcoin spot ETF had a total net inflow of US$179 million yesterday, and the ETF net asset ratio reached 4.25%

    According to SoSoValue data, the Bitcoin spot ETF had a total net inflow of $179 million yesterday (March 28th, US Eastern Time).Yesterday, Grayscale's ETF GBTC had a net outflow of $104 million, and its historical net outflow is $14.77 billion. The Bitcoin spot ETF with the highest net inflow yesterday was BlackRock's ETF IBIT, with a net inflow of approximately $95.12 million, and its historical total net inflow has reached $13.96 billion. The second is Fidelity's ETF FBTC, with a net inflow of approximately $68.09 million yesterday, and its historical total net inflow has reached $7.56 billion.As of now, the total net asset value of Bitcoin spot ETF is $59.1 billion, and the ETF net asset ratio (market value compared to the total market value of Bitcoin) is 4.25%, with a historical total net inflow of $12.12 billion.

  • Ethereum Inscription ETHS rose over 95% in 24H

    CoinGecko data shows that Ethereum Inscription ETHS has risen by 95.9% in the last 24 hours, now reporting at 7.51 USDT. Earlier, Ethereum founder Vitalik released the latest long article "Ethereum has blobs. Where do we go from here?". As a result of this news, the price of Ethereum Inscription ETHS soared.

  • Vitalik: Humanity needs to create a world where blockchain and artificial intelligence work together

    Vitalik Buterin, the founder of Ethereum, stated at BiddleAsia 2024 held at Signiel Seoul in the Songpa district on March 28 that artificial intelligence is a huge market and its importance is increasing day by day. We need to create a world where blockchain and artificial intelligence work together. Artificial intelligence can now create applications with 100 to 500 lines of code. Vitalik also stated that the ability to write 10,000 lines of code can eliminate most of the bugs in the Ethereum virtual machine.