Ransomware victims stand up to attackers
The drop in payments is encouraging, but a lack of transparency around ransomware reporting makes it hard to say why organizations refuse to pay, researchers say.
Fewer ransomware victims are paying to unlock their data.
Researchers at blockchain analysis firm Chainalysis found that total global revenue from ransomware payments across all sectors dropped to $457 million last year, compared to $766 million in 2021, a drop of 40.3%.
One reason for the drop in payments could be that the ransomware gangs responsible for many of these attacks are finding themselves under more pressure from law enforcement agencies, which have gotten more effective at obstructing their criminal operations. The Department of Justice recently announced it has been conducting a disruption campaign against the Hive ransomware group, which included offering decryption keys to victims and seizing control of Hive servers.
Another reason payments have declined may be cyber insurance companies’ more stringent coverage requirements has forced businesses and governments to improve their security posture, said Jackie Koven, Chainalysis’ head of cyber threat intelligence. Plus, a more robust and secure data backup regime has helped many organizations prevent disruption following attacks and restore service without negotiating with their hackers.
New state laws in Florida and North Carolina that make it illegal for government entities to pay a ransom could have had an effect, Koven said, but it is “too early to tell” their full impact. Instead, she said an “amalgamation of public- and private-sector efforts” are “having this coordinated front of preventing payments.”
A separate report in early January from cybersecurity software company Emsisoft found that in 2022, 106 local governments in the United States were hit by ransomware attacks, an increase from last year’s mark of 77. The company noted that the 2022 number is skewed by an attack on Miller County, Arkansas, where one compromised mainframe spread malware to 55 other counties.
The only local government known to have paid a ransom in 2022 was Quincy, Massachusetts, which spent $500,000 on a decryption key to regain access to its systems after a May attack.
Despite the encouraging numbers in ransomware attacks and payments, researchers urged caution. Brett Callow, a threat analyst at Emsisoft, noted there are still no requirements for every attack to be reported publicly, which clouds the actual consequences of ransomware. Some victims may be reluctant to report being compromised for fear of jeopardizing ongoing investigations, endangering negotiations with their attackers or exposing themselves to a class-action lawsuit by impacted residents or users.
“One thing I do believe in is greater transparency,” Callow said. “How many governments have had ransomware attacks, how many paid the ransom, how many school districts did? It should be an easy question to answer. But it isn’t, and the problem is lawmakers can't see the impacts of their policies. How do they know whether they're working?”
While Koven said the one-year drop in ransomware payments may prove to be “fragile,” both she and Callow said ransomware attacks will continue to evolve as gangs look to maximize their return on investment and stay one step ahead of law enforcement. Koven said even though the Hive disruption is significant, cybercrime will continue.
“We certainly aren't naive enough to believe that they'll hang up their hats and go find a 9-5 somewhere,” she said. “What typically happens is that threat actors don't go away, they go somewhere else, to another form of crime, where the ROI is more profitable.”
Callow noted that any stronger action from the government, like a federal ban on payments or strengthened security, will also prompt a response from cybercriminals. “If the government changes its strategy, they will try and change,” he said.