Ransomware payments fell to US$456.8 million in 2022

In an era where the mere mention of ransomware conjures negative headlines and narratives — which organisation just fell victim, how large the pay-out was, or how the attack left operations crippled — the latest Crypto Crime Report by Chainalysis finally offers a positive sign. The company’s analysis demonstrates that in 2022, total ransomware revenue fell to its lowest in three years. And while attackers still received at least US$456.8 million, this represents a huge 40.3% drop from their ransomware earnings in 2021, which amounted to US$765.6 million.

The drop in payments does not necessarily mean there has been a drop in attacks. “The evidence suggests that the decline in attacker revenues is due to victims’ increasing unwillingness to pay their ransom demands rather than a drop in the actual number of attacks. This reluctance can be attributed to a number of factors, ranging from more widespread utilisation of solutions such as backup and recovery that mitigate the impact of attacks, to a fear of running afoul of government regulations that prohibit the payment of ransoms to organisations that are potentially affiliated with sanctioned nations and groups”, said Kim Grauer, Director of Research, Chainalysis.

The researchers were also able to shine a spotlight on the techniques that ransomware attackers are using to launder their illicit earnings. The share of ransomware funds going to mainstream cryptocurrency exchanges grew from 39.3% in 2021 to 48.3% in 2022, while the share going to high-risk exchanges fell from 10.9% to 6.7%. Usage of illicit services such as darknet markets for ransomware money laundering also decreased, while usage of mixers – services that blend cryptocurrencies of many users together to obfuscate the origins and owners of the funds – increased from 11.6% to 15.0%.

Despite the drop in number of attacks and revenue, the number of unique ransomware strains in operation reportedly exploded in 2022, with research from cybersecurity firm Fortinet stating that over 10,000 unique strains were active in the first half of 2022. But at the same time, ransomware lifespans continued to drop. In 2022, the average ransomware strain remained active for just 70 days, down from 153 in 2021 and 265 in 2020.

Warning that looks can be deceiving, Grauer stated, “The constant turnover amongst top ransomware strains and appearance of new ones would suggest that the ransomware world is a crowded one, with a large number of criminal organisations competing with one another and new entrants constantly coming onto the scene. However, while many strains are active throughout the year, the actual number of individuals who make up the ransomware ecosystem is likely quite small”.

This is evidenced in on-chain data which reveals numerous instances of single wallets receiving large payments related to several different ransomware strains at different times. “By tracking wallets associated with known attackers, we have been able to map the evolution of the ransomware industry. The large overlap we have uncovered challenges the current perception of this being an extremely large enterprise. Instead, we see that the core group of malicious actors is actually highly concentrated. And despite these attackers’ best efforts, the transparency of the blockchain is allowing investigators to spot their rebranding efforts virtually as soon as they happen”, said Grauer.