Ransomware Payments Are Down

Chainalysis reports that worldwide ransomware payments were down in 2022.

Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before.

As always, we have to caveat these findings by noting that the true totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data. When we published last year’s version of this report, for example, we had only identified $602 million in ransomware payments in 2021. Still, the trend is clear: Ransomware payments are significantly down.

However, that doesn’t mean attacks are down, or at least not as much as the drastic drop-off in payments would suggest. Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.

Posted on January 31, 2023 at 7:03 AM6 Comments


Franchesko January 31, 2023 7:14 AM

Probably due to the slowing of economic development globally… Interesting how even (cyber-)crime is affected by this / you can see the impact even there.

Clive Robinson January 31, 2023 10:11 AM


Re : Why pay?

From the article,

“Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”

I suspect that there is some degree of truth in that.

Consider that most who originally paid up were “easy marks” as they had taken no steps to protect themselves.

So not only were they hit any backups they had were of no use to them.

Thus enough people would have started to “smarten up their act” to start bringing the hit rate down.

So some ransomware operators started taking the data and then try ransoming individuals via their medical records etc

They in turn turned back on the organisations who had alowed the records to be taken.

So things got tightend up somemore.

Then there is fake ransomware where the data gets destroyed not encrypted, so no matter what you pay you don’t get your records back…

Now of course tracing crypto-payment is getting easier so the operators are getting more vulnerable.

Whilst we don’t yet know how the recent takedown of a ransomware payment back end happened, that too will have caused less people to want to pay. Because the “middle agents” who pretend to “find the keys” but actually pay the ransom now risk criminal charges themselves.

So any smart criminal will have clened up and scrubbed where they can to stop being tracked down. Leaving the less smart or those who made the stupid mistake of thinking they were beyond touch.

That is those criminals who thought they were safe in Russia under Putin have now discovered it’s pay back time and they are where possible escaping from Russia. They also will no doubt get rounded up in the next year or two…

Ted January 31, 2023 2:08 PM

we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.

Yes, as Chainalysis mentioned, OFAC sanctions may prohibit some companies from paying.

For example, even though the Conti ransomware team isn’t sanctioned, Russia’s FSB is a sanctioned entity.

(At the start of Russia’s invasion in Ukraine, Conti publicly threw its support behind Putin’s government. Not long after a cache of its internal communications were leaked. Connections to Russia’s FSB were discovered.)

As Chainalysis reported, many victims and incident response firms decided paying Conti was too risky.

Another factor is that cyber insurers are requiring companies to have better security and backup systems in place.

Many insurers are also less likely to allow insurance proceeds to be paid out for the ransom payment.

Zian February 3, 2023 3:05 AM

The variations can still be attributed to random variation, if one uses a control chart to plot Chainanalysis’s data.

It seems that we still need more years of data before we can say that there’s been a true change in the real world.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.