Ransomware Revenue Down As More Victims Refuse to Pay

Researchers at Chainanalysis have released the ransomware section of their 2023 Crypto Crime report, revealing that ransomware payments fell from $766m in 2021 to $457m in 2022

Chainanalysis was quick to point out that this does not mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest. Much of the decline is due to victim organisations increasingly refusing to pay ransomware attackers. 

One major factor in victim rates falling by  76% to just 41% since 2019 is that paying ransoms has become shaky legal ground – an OFAC advisory in September 2021 outlined  the potential for sanctions violations when paying ransoms. 

The conflict in Ukraine was also highlighted as a potential reason for falling ransomware revenue. Major ransomware groups, Conti for example, while not being sanctioned themselves, have ties to Russia’s Federal Security Service (FSB) which is a sanctioned organisation. 

Chainalysis also cited cyber insurance firms as a key driver of falling ransomware revenue. Recorded Future intelligence analyst and ransomware expert Allan Liska, also known as the Ransomware Sommelier was quoted in the report, arguing that “cyber insurance has really taken the lead in tightening not only who they will insure, but also what insurance payments can be used for, so they are much less likely to allow their clients to use an insurance payout to pay a ransom.” 

Despite the drop in revenue, the number of unique ransomware strains in operation reportedly exploded in 2022, with research from cybersecurity firm Fortinet stating that over 10,000 unique strains were active in the first half of 2022. On-chain data confirms that the number of active strains has grown significantly in recent years. 

But it isn’t only ransomware revenue that has fallen – ransomware lifespans have plummeted, falling from an average of 3907 to a measly 70 days over the past ten years. According to Chainanalysis, “this is likely related to ransomware attackers’ efforts to obfuscate their activity, as many attackers are working with multiple strains.”

.