In several previous articles we have covered how the work done by the firm Chainalysis has provided great insight into how ransomware developers and affiliates operate. We have seen how their work has contributed to arrests of ransomware operators. We have also seen how the information generated by the firm can lead to law enforcement placing pressure on ransomware gangs.
A new report by Chainalysis shares some more good news as ransomware revenues are done significantly from their 2020 and 2021 highs.
In 2020 and 2021, ransomware revenues that could be traced to known ransomware gangs topped out at over 760 million USD for both years.
In 2022, revenues had plummeted to 457 million USD. Chainalysis notes that it is almost impossible to find the true totals regarding ransomware revenue but noted that the totals could be much higher as they specifically look at cryptocurrency addresses controlled by ransomware attackers identified on the blockchain.
The numbers in reality can be far higher but they are useful for determining trends.
However, while revenue is down the number of ransomware strains has increased. Researchers noted,
“Despite the drop in revenue, the number of unique ransomware strains in operation reportedly exploded in 2022, with research from cybersecurity firm Fortinet stating that over 10,000 unique strains were active in the first half of 2022. On-chain data confirms that the number of active strains has grown significantly in recent years, but the vast majority of ransomware revenue goes to a small group of strains at any given time.”
While the number of ransomware strains exploded to over 10,000, just in the first half of 2022, the lifespan of these strains has dropped.
The average time a strain is active is approximately 70 days, down from 153 in 2021 and 265 in 2020. That said the big news of the report is that revenues are down because victims are refusing to pay. It is this unwillingness that Chainalysis attributes to the 40% drop in revenue.
Victims Refusing to Pay
The report raised the question of how it could be determined that the decrease in revenue was a result of victims refusing to pay the ransom.
Researchers admitted that the time taken to identify ransomware addresses versus the under-reporting of ransomware in incidents cast doubt on the conclusion that victims are not paying ransom demands. Researchers spoke to several experts in different industries but encounter ransomware often.
One such expert, Michael Phillips, Chief Claims Officer of cyber insurance firm Resilience, said, meaningful disruptions against ransomware actor groups are driving lower-than-expected successful extortion attempts.
Contributing factors to this decline were the Russia-Ukraine war and the increased pressure on ransomware gangs from western law enforcement, including arrests and recovery of extorted cryptocurrency according to Phillips.
Ransomware expert Allan Liska noted that security researchers tend to scrape data from the leak sites ransomware administrators use to announce victims and release data if the ransom is not paid.
This data can then be used to determine whether ransomware attacks decreased or not. Liska stated that between 2021 and 2022 ransomware attacks dropped from 2865 to 2566, a 10% drop. Given this information, Chainalysis researchers stated,
“If we take DLS [Data Leak Site]] victim leaks as a proxy for the number of attacks, there’s still a huge gap between a 10.4% drop in leaks and a 40.3% drop in overall ransomware revenue. Instead, our conversations with representatives of cyber insurance and incident response firms suggest much of the revenue drop is explained by victims paying less frequently.”
The next question researchers looked to answer was what was driving victims to not pay the ransom demanded by cybercriminals.
One of the reasons sighted is that it is becoming increasingly becoming risker to pay the ransom from a legal perspective. In September 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory stating,
“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands.”
It was also noted that Cyber Insurance has also been behind the decline. This is due in part to the strict requirements placed on potential clients of insurance companies.
To receive cyber insurance, which includes protection against ransomware, companies need to prove that they have stringent cybersecurity and backup measures in place. It has also been argued that victims are less likely to pay a ransom demand if they have a cyber insurance policy in place.
It is hoped that this trend continues into the future and it proves once again that preventing cyber criminals from profiting from cybercrime is an effective countermeasure.