Ransomware gangs extorted from victims about $456.8 million throughout 2022, a drop of roughly 40% from the record-breaking $765 million recorded in the previous two years.
According to data from blockchain analytics company Chainalysis, this drastic decline in ransomware profits is not driven by fewer attacks but the victims’ refuse to pay the hackers.
2022 was one of the most active years in ransomware activity, with thousands of file-encrypting malware strains targeting organizations of all sizes.
However, likely due to diminishing profits, among other reasons, the average ransomware lifespan dropped from 153 days in 2021 to just 70 days in 2022.
The year was marked by the end of the Conti operation and the emergence of new ransomware-as-a-service activities like Royal, Play, and BlackBasta. Meanwhile, the operators of LockBit, Hive, Cuba, BlackCat, and Ragnar ransomware maintained a relatively steady flow of victims throughout 2022.
Victims won’t pay
Despite the multiple extortion tactics employed by ransomware operators – e.g. file encryption, DDoS attacks, threats to leak stolen data or to inform data protection authorities of a breach – a growing number of victims refuse to meet the threat actors’ demands.
Cyber-intelligence firm Coveware says there’s an identifiable trend since 2019 in its stats, showing that victim paying rates are constantly dropping.
In 2019, 76% of ransomware victims chose to pay the ransom while only 24% dealt with the consequences instead. This trend changed in 2022, as 59% of victims chose not to pay the ransom.
The past year marked a significant psychological turning point for both attackers and defenders. 2022 was the first year when more ransomware victims decided not to pay. This shift in behavior highlights a change in the perception and approach toward handling ransomware attacks.
This change can be attributed mainly to three things:
- The victims realize that paying the ransom does not guarantee they will get their files back and that the threat actors will delete the stolen files.
- The public perception of ransomware attacks has matured, and data leaks resulting from these incidents tend to have an attenuated effect on brand reputation tarnishing.
- Organizations are following better backup strategies which are also required for ransomware coverage insurers, often giving them a way to restore their IT infrastructure in cases of attack.
Even if victims are handling ransomware attacks differently than two years ago, completely discouraging the operators by not paying them is still a distant goal.
As long as the percentage of paying victims is significant or hackers cash in larger amounts from higher-value targets, ransomware attacks will be a present threat.