Crypto coins on a laptop keyboard and hundred-dollar bills in neon light showing ransomware payments

Cyber Criminal Revenue Takes a Dive as Organizations Increasingly Refuse Ransomware Payments

Hot on the heels of a study from Delinea suggesting that successful ransomware attacks were way down in 2022, leading blockchain analysis firm Chainalysis finds that ransomware revenue decreased by 40% over the same period. Organizations appear to be refusing ransomware payments much more often than in recent years; one leading reason is that the ransomware market has increasingly contracted into the hands of specific Russia-based gangs that now often have sanctions placed on them.

Ransomware payments decline due to sanctions, tighter cyber insurance market

The Chainalysis data finds that 2020 and 2021 were record years for ransomware payments. The prior high was $174 million in 2019; this shot to about $765 million in both of the following years. The take collected by ransomware operators is now down to $457 million in 2022.

However, as with the Delinea numbers on successful attacks, this indicates that the overall total is still quite high as compared to the years prior to the Covid-19 pandemic and it is far from time for organizations to relax. This is further supported by Chainalysis’ findings that new strains of ransomware exploded in 2022, with the average amount of time a particular ransomware strain is active hitting a record low (70 days). Compare this to an average of 473 days in circulation in 2019, and well over 1,000 days in years prior to 2016. In total over 10,000 strains were found in the first half of 2022, though it is still a relatively small fraction that end up collecting substantial amounts of money.

The overall data indicates that the market may simply be “correcting” to what was normal back before the pandemic, which opened up many new opportunities for cyber criminals with a very sudden and massive shift to remote work and cloud-based collaboration models. However, certain recent actions are having a clear impact on ransomware operators. Chief among these has been the sanctions that the United States and other governments have placed on major ransomware operators.

One of the central examples of this is Conti, which was the leading ransomware strain through the latter half of 2021 going into 2022. After the Ukraine invasion began, Conti group members decided to take a public stand in support of their native Russia and make threats of getting involved in retaliatory efforts. This led to an internal schism in the ransomware gang that ended with internal documents being leaked indicating some members had been in contact with Russia’s state-backed FSB hacking teams about assisting them. That was all the US government needed to slap sanctions on the group, making it vastly more expensive for anyone hit by them to make ransomware payments.

However, Conti also demonstrates why it is so difficult to put a permanent end to ransomware gangs and ransomware payments. Once the sanction heat was turned up on them, the group simply closed up the brand and split off into smaller brands. Altered versions of its ransomware continue to proliferate, and its former ransomware-as-a-service clients simply flock either to these new groups or to other big players that have not yet been sanctioned.

Lack of cyber insurance, increasing awareness of backups also contributing to ransomware payments

While the demise of Conti (and concurrent spikes in newer non-sanctioned ransomware as they lost market share, such as Hive) demonstrates that sanctions on big players can definitely have a measurable impact, the decline in ransomware payments can also be attributed to an increasing inability to pay.

Many organizations responded to the resurgence in ransomware by simply buying insurance for it, paying the ransom demands and hoping for the best. As of 2021 that started to become untenable, however, and continued contraction of the insurance market in 2022 made it tough for many organizations to carry adequate coverage. Insurers are now demanding higher premiums, requiring clients to clear higher bars to obtain or renew coverage, and in at least a few cases simply refusing to cover ransomware entirely.

Thus the “pay it and let insurance take care of it” approach is sharply on the decline. If an organization is approved for ransomware insurance these days, they are likely to be required to demonstrate that certain security measures are in place as well as a comprehensive and regular backup system. Some organizations may have decided that simply implementing these measures anyway is good enough; this tracks with the Delinea study, which found that the most relied-upon ransomware defense in 2022 was a robust backup system that can be relied upon to restore systems to normal in the event of compromise. Chainalysis additionally observes that warnings about the importance of both online and offline backups that began to be sounded in 2019 have finally trickled out across the business world in a broad way and reached the implementation stage.

Theresa Le, Chief Claims Officer at Cowbell, has an insider’s perspective on this change: “Policyholders have tightened their cybersecurity controls driven by cyber insurers’ underwriting requirements. With controls such as viable and tested backups, employees training on phishing emails, and the systematic deployment of MFA, many businesses have either thwarted ransomware attacks or significantly reduced the severity of a ransomware incident by having a recovery strategy that does not include making the extortion payment.”

However, experts caution that backups are not a “magic bullet” and should not be considered a simpler replacement for proactive security. Darren Guccione, CEO and Co-Founder at Keeper Security, advises that restoring from backups could potentially take months and leave organizations more vulnerable in the interim: “Attacks are constantly evolving and it is important for all organizations to be monitoring the cybersecurity landscape and ensure they have the ability to detect and prevent the latest attack vectors. Cybersecurity investment before a cybercriminal strikes is critical for organizations of all sizes. A zero-trust security model with data back-ups will limit exposure if a cyberattack occurs. Additionally, strong authentication and encryption measures on the front end will help prevent a data breach.”

2020 and 2021 were record years for #ransomware payments at about $765 million. The take collected by ransomware operators is now down 40% to $457 million in 2022. #cybersecurity #respectdataClick to Tweet

Underreporting is also a factor that needs to be considered (particularly considering the present insurance situation), as Scott Scher, Senior Cyber Intelligence Analyst at Intel 471, points out: “It is a well known fact across the cybersecurity industry that ransomware attacks/payments remain largely underreported. Government, law enforcement and the private sector all have limited visibility into ransomware impacts due to this underreporting. Even countries with mandatory data-theft reporting legislations continue to observe underreporting. The industry with the likelihood of having the most complete dataset on ransomware payments would be the cyber insurance sector.”