40% revenue drop in 2022 — Chainalysis


Ransomware victims have seemingly had enough of the extortion, with ransomware revenues for attackers plummeting 40% to $456.8 million in 2022.

Blockchain intelligence firm Chainalysis shared the data in a Jan. 19 report, noting that the figures don’t necessarily mean the number of attacks is down from the previous year.

Instead, Chainalysis noted that companies have been forced to tighten cybersecurity measures, while ransom victims have been increasingly unwilling to pay attackers their demands.

Total value extorted by ransomware attackers between 2017 and 2022. Source: Chainalysis.

The findings formed part of Chainalysis’ 2023 Crypto Crime Report. Last year, revenue from ransomware was a whopping $602 million at the time of the 2022 report, which was later tipped up to $766 million when additional cryptocurrency wallet addresses were identified.

Chainalysis added that the nature of blockchain means that attackers are having an increasingly hard time getting away with it:

“Despite ransomware attackers’ best efforts, the transparency of the blockchain allows investigators to spot these rebranding efforts virtually as soon as they happen.”

Interestingly, ransomware attackers resorted to centralized cryptocurrency exchanges 48.3% of the time when reallocating the funds — up from 2021’s figure of 39.3%.

Destination of funds leaving ransomware wallets between 2018 and 2022. Source: Chainalysis.

Chainalysis also noted that mixer protocols such as the now OFAC-sanctioned Tornado Cash, increased from 11.6% to 15.0% in 2022.

On the other hand, fund transfers “high-risk” cryptocurrency exchanges fell from 10.9% to 6.7%.

Victims refusing to pay

In insights shared with Chainalysis, threat intelligence analyst Allan Liska of Recorded Future said that the United States Office of Foreign Assets Control’s (OFAC) advisory statement in September 2021 may partly account for the revenue fall:

“With the threat of sanctions looming, there’s the added threat of legal consequences for paying [ransomware attackers].”

A statistical analysis carried out by Bill Siegel, CEO of ransomware incident response firm Coveware also suggested ransomware victims are becoming less reluctant to pay up:

Siegel’s probability chart suggests that ransomware victims have become increasingly unwilling to pay their attackers. Source. Chainalysis.

Cybersecurity insurance firms are also tightening up their underwriting standards, Liska explained:

“Cyber insurance has really taken the lead in tightening not only who they will insure, but also what insurance payments can be used for, so they are much less likely to allow their clients to use an insurance payout to pay a ransom.”

Many firms won’t renew policies unless the insured systems are comprehensively backed up, integrate Endpoint Detection and Response security and utilize multi-authentication mechanisms, Siegel noted.

Related: Report: 74% of stolen funds from ransomware attacks went to Russian-affiliated wallet addresses in 2021

The revenue drop came despite an explosion in the number of unique ransomware strains in circulation, according to data shared by cybersecurity firm Fortinet.

However, Siegel explained that while it looks like competition in the ransomware world is increasing, many of the new strains are being carried out by the same organizations:

”The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred […] It’s the same criminals, they’re just repainting their get-away cars.”

Chainalysis also explained that the “true totals” for the figures provided in the report are likely to be much higher because not every cryptocurrency address controlled by ransomware attackers has been identified.