Researchers say cybercriminal groups’ incomes have fallen by 40% as victims refuse to pay ransoms.
Cryptocurrency experts Chainalysis say that ransomware groups bilked victims of at least $457 million in 2022, down $311 million from the year before.
The true numbers are likely higher, but experts agree that fewer victims are paying.
However, despite the fall in criminal income, the number of attacks is increasing.
Companies, governments, schools and even hospitals around the world regularly fall victim to ransomware hackers who block access to their IT systems until a ransom is paid, usually in Bitcoin.
Hackers also often threaten to publish or sell stolen data.
Recent high-profile victims include The Guardian newspaper, delivery company Royal Mail and Canadian children’s hospital Sick Kids.
Many ransomware groups are believed to be based in Russia, although Russian officials deny that the country is a haven for the groups.
Bitcoin wallet tracking
Chainalysis analysts monitor the flow of money into Bitcoin wallets known to belong to ransomware groups.
The researchers say that the criminal proceeds are much higher than what they see, as the hackers are likely using other wallets as well.
Still, the company says the trend is clear: ransomware payouts have decreased significantly.
Bill Siegel of Coveware, which specializes in negotiating with hackers, agrees.
Its customers are increasingly reluctant to give in to hackers who can demand millions of dollars.
In 2022, 41% of its customers paid the ransom, compared to 70% in 2020, he said.
No government has outlawed ransom payments to hackers, but Mr. Siegel and other cyber experts believe that US sanctions against hacking groups or those with ties to Russia’s Federal Security Service have made paying some groups legally risky.
“We refuse to pay the ransom if there is even a hint of connection with a sanctioned organization,” Mr. Seigel said.
Other factors may also play a role, including increased awareness of ransomware, which leads to improved cybersecurity in organizations.
“It’s definitely getting harder for hackers to get paid for ransomware attacks,” said Brett Callow, threat researcher at cybersecurity firm Emsisoft.
Companies have become better at securing their backups, reducing the need to pay hackers to restore them, he added.
“Furthermore, because ransomware attacks have become so common, they are less of a PR disaster for companies, making it less likely that they will pay to keep incidents quiet and out of the news.”
The attacks are increasing
Despite the drop in revenue, 2022 saw a sharp increase in the number of unique strains of ransomware used in attacks.
A study by cybersecurity firm Fortinet found that more than 10,000 unique types of malware were active in the first half of 2022.
Last year’s decline in attacks could be attributed to law enforcement actions, mostly by US authorities, that led to the disbanding of some of the biggest ransomware groups.
In November 2021, alleged members of the REvil group were arrested worldwide in a global police operation, with US authorities seizing more than $6 million in cryptocurrency in a so-called “knockback” hacking operation.
This follows a similar operation in the US in June 2021 that took the Darkside gang offline and recovered $4.1 million in stolen funds.
It is believed that these actions may have forced criminals to work in smaller groups, as well as undermine the trust of gangs.
Criminals now appear to be carrying out a greater number of smaller attacks instead of going after large Western targets – the so-called “big game hunt” – where big payouts are more likely.
“While big game hunting may have become more complex, it’s still rewarding,” said Jackie Burns Coven, head of cyber threat intelligence at Chainalysis.
She warns that ransomware is still extremely profitable, and small organizations need to be even more vigilant as hackers expand their network in an attempt to cash in.