Ransomware Profits Decline as Victims Dig In, Refuse to Pay
In another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.
If the trend continues, analysts expect ransomware actors will start demanding bigger ransoms from larger victims to try and compensate for falling revenues, while also increasingly going after smaller targets that are more likely to pay (but which represent potentially smaller payoffs).
A Combination of Security Factors
“Our findings suggest that a combination of factors and best practices — such as security preparedness, sanctions, more stringent insurance policies, and the continued work of researchers — are effective in curbing payments,” says Jackie Koven, head of cyber-threat intelligence at Chainanalysis.
Chainanalysis said its research showed ransomware attackers extorted some $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before. The actual number is likely to be much higher considering factors like underreporting by victims and incomplete visibility over ransomware addresses, Chainanalysis conceded. Even so, there is little doubt that ransomware payments were down last year because of an increasing unwillingness by victims to pay their attackers, the company said.
“Enterprise organizations investing in cybersecurity defenses and ransomware preparedness are making a difference in the ransomware landscape,” Koven says. “As more organizations are prepared, fewer need to pay ransoms, ultimately disincentivizing ransomware cybercriminals.”
Other researchers agree. “The businesses that are most inclined not to pay are those that are well prepared for a ransomware attack,” Scott Scher, senior cyber-intelligence analyst at Intel471, tells Dark Reading. “Organizations that tend to have better data backup and recovery capabilities are definitely better prepared when it comes to resiliency to a ransomware incident and this highly likely decreases their need to pay ransom.”
Another factor, according to Chainanalysis, is that paying a ransom has become legally riskier for many organizations. In recent years, the US government has imposed sanctions on many ransomware entities operating out of other countries.
In 2020, for instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) made it clear that organizations — or those working on their behalf — risk violating US rules if they make ransom payments to entities on the sanctions list. The outcome is that organizations have become increasingly leery of paying a ransom “if there’s even a hint of connection to a sanctioned entity,” Chainanalysis said.
“Because of the challenges threat actors have had in extorting larger enterprises, it is possible that ransomware groups may look more toward smaller, easier targets lacking robust cybersecurity resources in exchange for lower ransom demands,” Koven says.
Declining Ransom Payments: A Continuing Trend
Coveware also released a report this week that highlighted the same downward trend among those making ransom payments. The company said its data showed that just 41% of ransomware victims in 2022 paid a ransom, compared with 50% in 2021, 70% in 2020, and 76% in 2019. Like Chainanalysis, Coveware also attributed one reason for the decline to better preparedness among organizations to deal with ransomware attacks. Specifically, high-profile attacks like the one on Colonial Pipeline were very effective in catalyzing fresh enterprise investments in new security and business continuity capabilities.
Attacks becoming less lucrative is another factor in the mix, Coveware said. Law enforcement efforts continue to make ransomware attacks more costly to pull off. And with fewer victims paying, gangs are seeing less overall profit, so the average payoff per attack is lower. The end result is that a smaller number of cybercriminals are able to make a living off ransomware, Coverware said.
Bill Siegel, CEO and co-founder of Coveware, says that insurance companies have influenced proactive enterprise security and incident response preparedness in a positive manner in recent years. After cyber-insurance firms sustained substantial losses in 2019 and 2020, many have tightened their underwriting and renewal terms and now require insured entities to have minimum standards like MFA, backups, and incident response training.
At the same time, he believes that insurance companies have had negligible influence in enterprise decisions on whether to pay or not. “It is unfortunate, but the common misconception is that somehow insurance companies make this decision. Impacted companies make the decision,” and file a claim after the incident, he says.
Saying “No” to Exorbitant Ransomware Demands
Allan Liska, intelligence analyst at Recorded Future, points to exorbitant ransom demands over the past two years as driving the growing reticence among victims to pay up. For many organizations, a cost-benefit analysis often indicates that not paying is the better option, he says.
“When ransom demands were [in the] five or low six figures, some organizations might have been more inclined to pay, even if they didn’t like idea,” he says. “But a seven or eight-figure ransom demand changes that analysis, and it is often cheaper to deal with recovery costs plus any lawsuits that may stem from the attack,” he says.
The consequences for nonpayment can vary. Mostly, when threat actors don’t receive payment, they tend to leak or sell any data they might have exfiltrated during the attack. Victim organizations also have to contend with potentially longer down times due to recovery efforts, potential expenses released to purchasing new systems, and other costs, Intel471’s Scher says.
To organizations in the front lines of the ransomware scourge, news of the reported decline in ransom payments is likely to be of little consolation. Just this week, Yum Brands, the parent of Taco Bell, KFC, and Pizza Hut, had to close nearly 300 restaurants in the UK for a day following a ransomware attack. In another incident, a ransomware attack on Norwegian maritime fleet management software company DNV affected some 1,000 vessels belonging to around 70 operators.
Declining Revenues Spur Gangs in New Directions
Such attacks continued unabated through 2022 and most expect little respite from attack volumes in 2023 either. Chainanalysis’ research, for instance, showed that despite falling ransomware revenues, the number of unique ransomware strains that threat operators deployed last year surged to over 10,000 just in the first half of 2022.
In many instances, individual groups deployed multiple strains at the same time to improve their chances of generating revenue from these attacks. Ransomware operators also kept cycling through different strains faster than ever before — the average new ransomware strain was active just for 70 days — likely in an effort to obfuscate their activity.
There are signs that falling ransomware revenues are putting pressure on ransomware operators.
Coveware, for instance, found that average ransom payments in the last quarter of 2022 surged 58% over the previous quarter to $408,644 while the median payment skyrocketed 342% to $185.972 over the same period. The company attributed the increase to attempts by cyberattackers to compensate for broader revenue declines through the year.
“As the expected profitability of a given ransomware attack declines for cybercriminals, they have attempted to compensate by adjusting their own tactics,” Coveware said. “Threat actors are moving slightly up the market to try and justify larger initial demands in the hopes that they result in large ransom payments, even as their own success rate declines.”
Another sign is that many ransomware operators began re-extorting victims after extracting money from them the first time, Coveware said. Re-extortion has traditionally been a tactic reserved for small business victims. But in 2022, groups that have traditionally targeted mid- to large-size companies began employing the tactic as well, likely as a result of financial pressures, Coveware said.