Total ransomware revenue dropped to its lowest level in three years, according to the latest Crypto Crime Report by Chainalysis.
While attackers still received a significant amount of money in 2022, approximately $456.8 million, this represents a significant decrease of 40.3 percent from their earnings in 2021, which were $765.6 million.
Not a reason to be complacent
The drop in payments does not necessarily mean there has been a drop in attacks, according to Chainalysis.
“The evidence suggests that the decline in attacker revenues is due to victims’ increasing unwillingness to pay their ransom demands rather than a drop in the actual number of attacks,” said Kim Grauer, Director of Research, Chainalysis.
“This reluctance can be attributed to a number of factors, ranging from more widespread utilisation of solutions such as backup and recovery that mitigate the impact of attacks, to a fear of running afoul of government regulations that prohibit the payment of ransoms to organisations that are potentially affiliated with sanctioned nations and groups.”
The researchers also delved into the methods used by ransomware attackers to clean their illegal proceeds. They found that the proportion of ransomware funds sent to conventional cryptocurrency exchanges rose from 39.3 percent in 2021 to 48.3 percent in 2022, while the proportion sent to high-risk exchanges dropped from 10.9 percent to 6.7 percent. The use of darknet markets for money laundering also decreased, while usage of mixers, which blend different cryptocurrencies to conceal the origins and owners of the funds, rose from 11.6 percent to 15.0 percent.
Ransomware strains are still growing
While the number of ransomware attacks and revenue fell, the number of distinct ransomware strains in operation reportedly surged in 2022, with cybersecurity firm Fortinet reporting that over 10,000 unique strains were active in the first half of the year. However, the lifespan of these strains also decreased. In 2022, the average ransomware strain was active for only 70 days, down from 153 in 2021 and 265 in 2020.
“The constant turnover amongst top ransomware strains and appearance of new ones would suggest that the ransomware world is a crowded one, with a large number of criminal organisations competing with one another and new entrants constantly coming onto the scene,” said Grauer.
“However, while many strains are active throughout the year, the actual number of individuals who make up the ransomware ecosystem is likely quite small.”
This is evidenced in on-chain data which reveals numerous instances of single wallets receiving large payments related to several different ransomware strains at different times.
“By tracking wallets associated with known attackers, we have been able to map the evolution of the ransomware industry. The large overlap we have uncovered challenges the current perception of this being an extremely large enterprise. Instead, we see that the core group of malicious actors is actually highly concentrated. And despite these attackers’ best efforts, the transparency of the blockchain is allowing investigators to spot their rebranding efforts virtually as soon as they happen,” said Grauer.
