Chris Swagler | January 27th, 2023

According to new data, ransomware payments declined by more than 40% in 2022 compared to 2021, with victim companies refusing to pay their extortionists. A blockchain analysis company discovered that ransomware threat operators extorted $456.8 million from victims in 2022 in the ransomware section of its 2023 crypto crime report. This is a huge decrease from $765.6 million in 2021 and 765 million in 2020. The true totals are likely to be greater because ransomware threat operators possess cryptocurrency addresses that have yet to be discovered on the blockchain and added into its data. Nonetheless, there’s a clear downward trend in ransomware payments. After two years of growth when it comes to ransomware revenue, it’s surprising and encouraging to see ransomware payments decreasing and hoping to see the trend continue in 2023. The trend is primarily due to victim companies are less willing to pay extortion demands when infected with ransomware.

Growing government pressure and the repercussions of paying ransomware demands are key reasons for the rising reluctance. Since the start of the Russia-Ukraine conflict, there has been an increase in the number of prominent ransomware groups tied to the Russian state. Conti, for example, explicitly declared its support for the Kremlin’s invasion in February 2022. Soon after, a large breach of internal data revealed its connection to Russia’s Federal Security Service (FSB). Many ransomware victims and incident response companies concluded that paying Conti threat actors was too risky, given that the FSB is a sanctioned entity. Even though Conti announced its closure in May 2022, numerous former threat actors are thought to be still operating in the cybercrime underworld.

Governments have taken additional steps in recent years to make ransom payments legally risky, however have fallen short of prohibiting them entirely. This includes United States government advisories alerting companies about the repercussions of paying cyber threat actors operating under economic sanctions. Another important element in victims’ increasing unwillingness to pay is the growing importance of cyber insurance. Insurers are becoming more stringent about the uses of insurance payouts and are less likely to cover clients’ ransom payments. Additionally, insurance companies are asking their clients to strengthen their cybersecurity measures with comprehensive backup systems allowing them to recover quickly from a ransomware attack. A combination of other best practices, including security preparedness, sanctions, more stringent insurance policies, and the ongoing work of researchers finding encryption flaws, are effective in reducing payments and ransomware actors’ extortion.

Research shows how extortion groups’ techniques are evolving in response to increased law enforcement activities in the area. Despite the decline in revenue, the number of unique ransomware strains in operation increased in 2022. On-chain statistics, however, revealed that most of the ransomware revenue went to a small group of strains. In 2022, there appeared to be regular “rebranding” of ransomware strains as threat actors worked to conceal their operations. The average ransomware strain was active for only 70 days in 2022, a significant decrease from 153 days in 2021 and 265 days in 2020. According to researchers, cybercriminals are shifting away from traditional ransomware extortion tactics and toward exfiltration-based strategies to entice more companies to pay the ransom. Additionally, there’s an increase in data extortion incidents, where data is exfiltrated from victims’ systems but not encrypted as is generally the final stage in ransomware. The exfiltration-based extortion tactic is most likely an attempt by threat actors to avoid being labeled as ransomware, which can delay or hinder victims’ ability or willingness to pay the extortion, however the cases are included in the metrics.

Most ransomware strains operate on the ransomware-as-a-service (RaaS) model allowing developers to use the administrator’s malware to carry out attacks in exchange for a modest, fixed share of the earnings. Numerous affiliates are carrying out attacks for multiple strains and the trend is expected to continue in 2023. The data and research show that the underground economy that drives the attack kill chain for ransomware and extortion will continue to grow and expected to see the continuous selling of access to victims’ networks and credentials leading to persistent attacks in 2023.

Even though victims are responding differently to ransomware attacks than they were two years ago, totally discouraging threat operators by refusing to pay them remains a distant goal. Ransomware attacks will continue to be a threat if the percentage of paying victims remains high or threat operators profit from higher-value targets. That’s why it’s important for companies to always remain ahead of the current threat landscape and regularly backup their data networks to avoid paying a ransom. At SpearTip, our certified engineers discover blind spots in companies that can lead to significant compromises by comparing technology and internal personnel. SpearTip goes beyond simple compliance frameworks and examine the day-to-day function of cyber within companies. This can lead to critical recommendations by exposing vulnerabilities not only in software, but in companies’ people and processes.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.