Ransomware profits decline as victims dig in, refuse to pay

In another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.

If the trend continues, analysts expect ransomware actors will start demanding bigger ransoms from larger victims to try and compensate for falling revenues, while also increasingly going after smaller targets that are more likely to pay (but which represent potentially smaller payoffs).

A Combination of Security Factors

“Our findings suggest that a combination of factors and best practices — such as security preparedness, sanctions, more stringent insurance policies, and the continued work of researchers — are effective in curbing payments,” says Jackie Koven, head of cyber-threat intelligence at Chainanalysis.

Chainanalysis said its research showed ransomware attackers extorted some $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before. The actual number is likely to be much higher considering factors like underreporting by victims and incomplete visibility over ransomware addresses, Chainanalysis conceded. Even so, there is little doubt that ransomware payments were down last year because of an increasing unwillingness by victims to pay their attackers, the company said.

“Enterprise organizations investing in cybersecurity defenses and ransomware preparedness are making a difference in the ransomware landscape,” Koven says. “As more organizations are prepared, fewer need to pay ransoms, ultimately disincentivizing ransomware cybercriminals.”

Other researchers agree. “The businesses that are most inclined not to pay are those that are well prepared for a ransomware attack,” Scott Scher, senior cyber-intelligence analyst at Intel471, tells Dark Reading. “Organizations that tend to have better data backup and recovery capabilities are definitely better prepared when it comes to resiliency to a ransomware incident and this highly likely decreases their need to pay ransom.”

Another factor, according to Chainanalysis, is that paying a ransom has become legally riskier for many organizations. In recent years, the US government has imposed sanctions on many ransomware entities operating out of other countries.

In 2020, for instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) made it clear that organizations — or those working on their behalf — risk violating US rules if they make ransom payments to entities on the sanctions list. The outcome is that organizations have become increasingly leery of paying a ransom “if there’s even a hint of connection to a sanctioned entity,” Chainanalysis said.

“Because of the challenges threat actors have had in extorting larger enterprises, it is possible that ransomware groups may look more toward smaller, easier targets lacking robust cybersecurity resources in exchange for lower ransom demands,” Koven says.

Declining Ransom Payments: A Continuing Trend

Coveware also released a report this week that highlighted the same downward trend among those making ransom payments. The company said its data showed that just 41% of ransomware victims in 2022 paid a ransom, compared with 50% in 2021, 70% in 2020, and 76% in 2019. Like Chainanalysis, Coveware also attributed one reason for the decline to better preparedness among organizations to deal with ransomware attacks. Specifically, high-profile attacks like the one on Colonial Pipeline were very effective in catalyzing fresh enterprise investments in new security and business continuity capabilities.

To read the complete article, visit Dark Reading.