New studies conducted by Chainalysis, a blockchian analysis firm, and Coveware, a cybersecurity analysis firm, suggest that the profitability of ransomware may be on the decline as the percentage of victims paying ransoms fell dramatically in 2022.

The Chainalysis study indicates that payments to ransomware-connected cryptocurrency addresses fell from $766 million in 2021 to $457 million in 2022.  However, because this amount does not include addresses controlled by attackers that have yet to be identified, the true totals are likely much higher.

In addition to decreasing payments, the study shows attackers are switching between malware strains more quickly, likely in an attempt to hide their activities. 

Attackers are also keeping their funds away from the funds-mixing destinations of the past in favor of mainstream cryptocurrency exchanges.  This does not necessarily indicate a mature market with a higher cost of entry; there’s more to it than typical economics. 

Specific strains of malware bring different risk factors to ransom negotiations.  When Conti, a major ransomware strain, was found to be engaging with the Kremlin and Russia’s Federal Security Service (FSB), victims had another reason not to pay up; government sanctions.  One notable holdout was CD Projekt Red, maker of the games Cyberpunk 2077 and The Witcher.

Conti’s leadership split up and ended up working inside a number of other ransomware groups.  What this means is that while ransomware may look like a huge market with thousands of participants, it is actually still a small traceable group of core actors that can be monitored. 

Coveware is seeing similar trends and reports that while victims were paying 85 percent of the time in Q1 of 2019, they only paid 37 percent in Q4 of 2022.  Coveware credits this downward trend to investments in security and response planning, fund recovery improvements in law enforcement and arresting actors, along with the compounding effects of diminished payments pushing attackers out of the market.

Another potential development relative to the non-payment squeeze on attackers is the sizeable rise of the average and median ransom payments in the last quarter of 2022 from just the quarter before.  The median size of a ransomware victim also rose, with a particular spike to record levels in the last half of 2022.

What these studies suggest is that attackers are being forced to hunt for bigger game, targeting larger firms for a more substantial upfront demand.  Additionally, more firms are pursuing previous victims for re-extortion, which is something that was previously practiced only by smaller firms targeting smaller companies.  "RaaS (Ransomware as a Service) groups care less than their predecessors about upholding their reputation," Coveware's post explains. "Ransomware actors are first and foremost driven by economics, and when the economics are dire enough, they will stoop to levels of deception and duplicity to recoup their losses."

From ARSTechnica