From $765.6 million to $456.8 million: Ransom payments to cybercriminals fell 40% in 2022 from the previous two years. This conclusion of the Crypto Crime report by Chainalysis, one of the leading companies in the field of monitoring cryptocurrency transactions on the blockchain [les paiements de rançons se font généralement en bitcoin, ndlr], finally offers hope after years of increases. It also examines the general trend of such malware being removed for ransom over the past year.
The company reminds that the real amounts paid by the victims are ” far superior to those it finds because it is almost impossible to trace all accounts used by cybercriminals, but the trend is there. Experts attribute this 40% drop not to a significant drop in the number of successful cyber attacks, but rather to a general change in crisis management by victims who now refuse to pay.
End of the vicious cycle?
Publicly, all cybersecurity experts agree: in the event of a ransomware attack, you should never pay the demanded ransom, even if cybercriminals promise that they will repair the damage they just caused. But in practice, companies give up on the hope of recovering data otherwise lost due to lack of backup, because their survival is at stake. These payments, which amount to several tens of thousands of euros and sometimes even several million euros, nourish a vicious cycle : cybercriminals reinvest part of their loot to get new tools and develop new attack methods that allow them to make more victims and therefore collect bigger loot and so on.
Because of this vicious cycle, attackers manage to innovate at the same rate as defenders, and detection tools are quickly outdated. The drop in ransom payments observed by Chainalysis may therefore buck this trend, especially as law enforcement agencies simultaneously step up their efforts to arrest cybercriminals. Although it is very difficult to dismantle their network.
Success with backups, alternatives to payment
To restart his information system, the victim is faced with two choices: pay the ransom or rebuild from his backups (if he has any). This second option can be as expensive or even more expensive than the first and takes time (several weeks or even months), but it offers much more guarantees than the payment of the ransom. Experts regularly remind that decryptors provided by cybercriminals for ransom can be faulty and even worsen the situation in the worst case. In other words, no matter what happens, the victim will have to have the tool rewritten by a specialized company, in addition to thoroughly analyzing his information system to ensure that the attackers no longer have access to it.
The drop in ransom payments therefore means that this discourse has gained in popularity, but also that companies are increasingly better prepared. According to the report by Chainalysis, the maturation of the cyber insurance sector is not for nothing, as insurance companies require the implementation of certain measures before covering their customers. For example, they insist on having strong backup systems in place that will ensure victims don’t have to start from scratch in the event of a successful ransomware attack. This measure is also accompanied by the obligation to use advanced prevention software on the market or multi-factor authentication procedures to prevent illegal access to the system.
Result: victims refuse to pay because they can afford it. According to data from Coveware, a company specializing in responding to ransomware attacks, they give in to cybercriminals’ extortion in just 41% of cases, compared to 76% in 2019 and 50% in 2021. If the carrot approach seems to work, of the whip could also partially explain the downward trend: in late 2021, Ofac (Office of Foreign Assets Control), a sub-branch of the US Treasury Department, announced that the payment of ransoms to certain gangs – especially those associated with Russian intelligence – would henceforth be assimilated to the financing of terrorism. In other words, the large American corporations are exposing themselves to legal consequences if they decide to pay, although few specific cases have been published.
Has ransomware reached a plateau?
Chainalysis attributes the drop in ransom payments primarily to a change in the mentality of victims, but at the same time, it appears that the ransomware ecosystem is slowly reaching a plateau after four years of impressive growth. According to Recorded Future analyst Allan Luska, quoted in the report, the amount of successful cyber attacks would have even decreased slightly in 2022. To arrive at this estimate, the researcher collects data from blogs where cybercriminal organizations claim their attacks and threaten to publish stolen data in the hope that victims will pay. Result: between 2021 and 2022, the number of injuries fell from 2,865 to 2,566, or 10.4%. However, this indicator remains imperfect, as cybercriminals generally do not publicize when the victim pays quickly.
Additionally, if experts find that the number of “brands” or “strains” of ransomware explode on the front page, they become less consistent. In 2022, brands remained active for an average of 70 days, two times less than in 2021 and almost four times less than in 2020! Among the most active gangs at the end of 2022, only LockBit – responsible, among other things, for the attack on the Corbeilles-Essonne hospital – was a name already known before.
In other words, an increase in the number of different ransomware strains does not necessarily reflect an increase in the number of attacks. Called “associates” in the jargon, the people who launch the attacks use multiple ransomware, delivered by different “operators”, the name given to the developers of the malware. Analysts compare the situation of affiliates to that of VTC drivers. The same affiliate can launch attacks with LockBit, Hive or BlackCat, just as a driver can drive for Uber, Lyft and Free Now. This does not mean that the number of attacks will have increased, as they will remain launched by the same person.
” The data suggests that the ransomware ecosystem is best thought of not as a collection of separate tribes, but as a small group of hackers who regularly rotate between different brands. The agility with which affiliates move between brands makes the industry look bigger than it is “, the report states. Bill Siegel, co-founder of Coveware even estimates that only “ few hundred » the number of people involved in ransomware attacks.
As long as the victims pay, the risk taken by these hundred cybercriminals remains largely profitable. However, if the downward trend observed by Chainalysis continues in the next few years, they may turn away from ransomware in favor of other more lucrative activities.