Ransomware Payments Down 40% in 2022

According to the blockchain analysis firm Chainalysis, ransomware payments dropped from $766 million in 2021 to $457 million in 2022

ransomware warning

There is a bit of good news in the “world of ransomware” if such a thing exists. According to the blockchain analysis firm Chainalysis, ransomware payments dropped significantly in 2022 — going from $766 million in 2021 to $457 million this past year.

In addition, Chainalysis said it tracked $765 million in ransomware payments in 2020, $174 million in 2019, and just over $40 million in both 2018 and 2017.

Unveiling the results of its research in a blog post, the company conceded that “the true totals are much higher” due to cryptocurrency addresses that are yet to be identified. Chainalysis suggests that fewer victims are paying the ransom rather than fewer attacks occurring.

Jackie Koven, Chainalysis head of cyber intelligence, said that the vast majority of the $457 million figure is made up of bitcoin, with some Ethereum transfers included as well. In contrast, privacy coins like Monero make up a small percentage of ransomware payments.

“One reason is [privacy coins] aren’t as liquid as Bitcoin and other cryptocurrencies,” Koven said. “Especially now that many exchanges have delisted privacy coins given regulatory guidance, they’re increasingly impractical. Cryptocurrency is only useful if you can buy and sell goods and services or cash out into fiat, and that is much more difficult with privacy coins. As we acknowledge in the report, our data does improve over time and we expect our ransomware figures to grow in subsequent reports, but have no reason to believe it will reach levels seen in 2020 and 2021.”

Chainalysis says there are two primary reasons for the sharp decline in ransomware payments. First, the firm referenced the threat of sanctions, providing a September 2021 advisory by the U.S. Department of the Treasury’s Office of Foreign Assets Control as an example. The second reason comes from the cyber insurance firms demanding steeper cyber-readiness requirements from customers before agreeing to insure them.

Chainalysis also referenced data from incident response firm Coveware, which claimed that only 41% of victims paid the ransom in 2022 — which is down from 50% in 2021 and 70% in 2020.

Chainalysis’ report also explores the average lifespan of a ransomware strain — it remained active for 70 days in 2022, down from 153 days in 2021 and 265 in 2020. According to them, this is “likely related to ransomware attackers’ efforts to obfuscate their activity, as many attackers are working with multiple strains.”

The research claimed that despite the constant appearance of new strains, the actual number of individuals who make up the ransomware ecosystem is “likely quite small.” This is due in large part to affiliate overlap.

“Most ransomware strains function on the ransomware-as-a-service (RaaS) model, in which the developers of a ransomware strain allow other cybercriminals, known as affiliates, to use the administrator’s malware to carry out attacks in exchange for a small, fixed cut of the proceeds,” the blog post read. “However, we’ve seen time and time again that many affiliates carry out attacks for several different strains. So, while dozens of ransomware strains may technically have been active throughout 2022, many of the attacks attributed to those strains were likely carried out by the same affiliates.”

Finally, it’s interesting to read Chainalysis’ comparison of the ransomware ecosystem to the ride-sharing industry — even though a driver might work with Uber, Lyft, and other providers, it’s still just a single driver behind the wheel.