Ransomware Revenue Dropped By 40% in 2022: Here’s Why
Image courtesy of 123rf.

Ransomware Revenue Dropped By 40% in 2022: Here’s Why

Ransomware attacks were significantly less lucrative in 2022 compared to the year before.
Neither the author, Tim Fries, nor this website, The Tokenist, provide financial advice. Please consult our website policy prior to making financial decisions.

Chainalysis’ latest crypto crime report shows a -40% decrease in ransomware revenue in 2022 compared to 2021. However, despite the profitability decline, there has been a marked increase in the types of malware code deployed.

Smaller Payouts, More Ransomware Attacks

Ahead of the full 2023 Crypto Crime Report in February, blockchain analytics company Chainalysis outlined some notable trends in crypto cyber security. Digital assets are inherently vulnerable to malicious attacks, such as malware, because they are held in digital formats.

In turn, digital platforms can easily be targeted by malicious software. In particular, malware is malicious software that can encrypt vital user data or even lock the device until the targeted victim pays the ransom. Despite that over 12,000 crypto assets have one month of zero trading, the popularity of cryptocurrencies has skyrocketed since 2018. Ransomware attacks followed in lockstep.

It is not surprising that Chainalysis marked bullruns of 2020/21 as the most fertile ransomware payment years. Image credit: Chainalysis

When the 2021 bull run started to reverse into crypto winter during 2022, the ransomware revenue dropped by -40%, from $766 million to $457 million. However,  Chainalysis noted that cybersecurity firm Fortinet detected an explosion of unique malware strains in the first half of 2021. 

Despite their evolution and number, though, only a handful of ransomware strains were dominant throughout 2022. The year started with heavy dominance of Conti, Play, Lockbit, and Hive strains, ending with the rising spread of Daixin, Royal and BlackBasta.

Ransomware Strain Efficacy Drastically Weakening

When a malware code is installed, its lifespan depends on the complexity of the code and on the preventive measures and actions taken to keep it active. Specifically, their lifespans depend on the following:

  • The effectiveness of the malware’s encryption algorithm.
  • The ability of the malware’s authors to continually update and adapt the code to bypass security measures.
  • The malware’s ability to evade detection measures by security software.

One of the most notable ransomware attacks that attracted public attention happened in late April 2021. The target was the Colonial Pipeline, which disrupted gas distribution along the East Coast of the United States. With high stakes, the company decided to pay up $4.4 million in Bitcoin, most of which was later recovered by the FBI’s cyber division.

The hacker group was previously known as DarkSide, having donated stolen Bitcoin to charity.

Since Chainalysis began tracking the average lifespan of ransomware strains, 2022 saw the lowest on record. At an average 70-day active period, ransomware’s efficacy to be ‘ransom-worthy’ decreased by -54% compared to 2021.

Image credit: Chainalysis

When they succeed in extorting funds, ransomware criminals typically relay the funds from malware wallets to mainstream centralized exchanges (CEXes), at 48.3% in 2022 compared to 39.3% the year prior. 

The next favorite platforms for extorted assets are illicit darknet services and mixing protocols. Interestingly, high-risk exchanges are becoming less used in favor of mainstream CEXes, while mixer popularity slightly increased from 11.6% to 15%.

When it comes to malware code creation, ransomware attackers established a ransomware-as-a-service (RaaS) business model. This allows less experienced coders to use the admin’s malware in exchange for a fixed cut on extracted wallets’ funds. 

Join our Telegram group and never miss a breaking digital asset story.

What is Driving Halving of Ransomware Revenue?

In addition to record low average ransomware lifespans, victims are less likely to pay up as years go by. In 2019, the majority of malware targets were willing to release funds, at only a 24% refusal rate. 

Image credit: Chainalysis

This trend continued to 2022, reaching the lowest refusal rate of 59%, breaching the majority threshold from the evened-out 2021. Chainalysis attributes this ransomware resistance to new guidelines issued by the OFAC.

OFAC Discouraged Ransomware Payouts

In September 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a new advisory that warned that compliance with ransomware demands may violate sanctions regulations and may result in severe penalties for both the victim and the ransomware group.

Violations of OFAC sanctions can result in civil penalties. These can include fines of up to $295,141 per violation or twice the amount of the transaction, whichever is greater. Criminal penalties can also be imposed, including fines and imprisonment for up to 20 years. This is one of the main reasons why Circle started blocking stablecoin wallets interacting with Tornado Cash currency mixer.

OFAC’s reach has become so strong that even the largest NFT marketplace, OpenSea, started geo-blocking Cuban artists. Likewise, Binance-funded PancakeSwap started doing the same despite styling itself as “the most popular decentralized platform in the galaxy.”

The Uptick in Cyber Insurance

Lastly, in addition to the looming OFAC threat, cyber insurance has increased significantly with ransomware attacks.

“Cyber insurance has really taken the lead in tightening not only who they will insure, but also what insurance payments can be used for, so they are much less likely to allow their clients to use an insurance payout to pay a ransom,” 

Allan Liska at Recorded Future analytics

To prevent ransomware attacks in the first place, it is highly recommended to regularly update the operating system and software as new vulnerabilities are detected and patched. It is also important to segment and back up important data so that those files can be restored without having to pay ransomware attackers.

Finance is changing.
Learn how, with Five Minute Finance.
A weekly newsletter that covers the big trends in FinTech and Decentralized Finance.

Do you have backups of your wallets’ recovery phrases disconnected from the internet? Let us know in the comments below.