Cybercriminals’ preferred method of extortion is declining.
Briefly, ransomware-type malware threats encrypt files and then demand payment in cryptocurrency from victims to decrypt them. In 2022, however, the market began to shift as fewer businesses elected to be blackmailed.
According to data provided by blockchain analysis company Chainalysis, ransomware revenues for 2022 have decreased from $765.6 million to at least $456.8 million, a -40.3% year-over-year decrease. The number of victims who refuse to pay the ransom has increased alongside the volume of attacks.
Working with Cover, Chainalysis has witnessed a significant decline in the proportion of ransomware victims willing to pay, from 76% in 2019 to 41% in 2022. According to Chainalysis, this “extremely encouraging” trend is likely influenced by a variety of factors.
Victims of ransomware have realized that even if they pay the ransom, there is no assurance they will receive their data or that the ransomware actor will delete the “stolen” files without selling them to third parties on the dark web. The public perception of ransomware has also matured, so data leaks no longer pose the same risks to brand reputation as they did in prior years.
Companies and government agencies, which are the primary targets of modern ransomware attacks, have also improved their backup strategies, making data recovery a much cleaner and simpler process than it was just a few years ago.
In addition, insurance companies are less likely to permit their clients to use an insurance payout to pay a ransom demand. As numerous ransomware operations are headquartered in Russia, victims who decide to pay may be subject to the severe legal consequences brought about by the economic sanctions imposed on the country following its invasion of Ukraine.
Even though victims are not paying as much as they once did, the ransomware industry is far from dead: the average lifespan of file-encrypting malware strains has decreased from 153 days in 2021 to 70 days in 2022. Other ransomware-as-a-service (raas) operations, including Royal, Play, and BlackBasta, went live while the “Conti” ransomware operation came to an end. At the end of 2022, LockBit, Hive, Cuba, BlackCat, and Ragna were still operating and demanding ransom payments.
