2022 was an impactful year in “the fight against ransomware,” according to an update from Chainalysis.
Ransomware attackers extorted “at least $456.8 million from victims in 2022, down from $765.6 million the year before.”
As always, they have to caveat these findings by noting “that the true totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data.”
When they published last year’s version of this report, for example, Chainalysis had “only identified $602 million in ransomware payments in 2021. Still, the trend is clear: Ransomware payments are significantly down.”
However, the Chainalysis report clarifies that this “doesn’t mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest.”
Instead, Chainalysis believes that much of the decline is “due to victim organizations increasingly refusing to pay ransomware attackers.”
Despite the drop in revenue, “the number of unique ransomware strains in operation reportedly exploded in 2022,” with research from cybersecurity firm Fortinet stating “that over 10,000 unique strains were active in the first half of 2022.”
On-chain data confirms “that the number of active strains has grown significantly in recent years, but the vast majority of ransomware revenue goes to a small group of strains at any given time.”
They do, however, see turnover throughout the year “among the top-grossing strains.”
Likewise, ransomware lifespans “continue to drop.”
In 2022, the average ransomware strain “remained active for just 70 days, down from 153 in 2021 and 265 in 2020.” As noted in the update, this activity is likely “related to ransomware attackers’ efforts to obfuscate their activity, as many attackers are working with multiple strains.”
When it comes to money laundering, the data indicates “that most ransomware attackers send funds they’ve extorted to mainstream, centralized exchanges.”
In fact, the share of ransomware funds going to mainstream exchanges “grew from 39.3% in 2021 to 48.3% in 2022, while the share going to high-risk exchanges fell from 10.9% to 6.7%.”
Usage of illicit services such as darknet markets “for ransomware money laundering also decreased, while mixer usage increased from 11.6% to 15.0%.”
The constant turnover amongst top ransomware strains and the appearance of new ones would suggest “that the ransomware world is a crowded one, with a large number of criminal organizations competing with one another and new entrants constantly coming onto the scene.”
However, looks can be “deceiving.”
While many strains are active throughout the year, “the actual number of individuals who make up the ransomware ecosystem is likely quite small.”
Of course, the best-case scenario is “for organizations not to fall victim to ransomware attacks in the first place.”
To that end, Liska recommends organizations “run recurring tabletop exercises, in which all relevant teams — cybersecurity, networking, IT, server administration, backup teams, PR, finance, etc. — meet with leadership to establish how the organization can keep itself secure, identify vulnerabilities, and understand who’s responsible for all aspects of security.”
“Having a realistic picture of where your organization stands and what its weaknesses and strengths are will better prepare everyone in the event your organization is hit with a ransomware attack, and it also makes leadership aware of where it needs to invest to better secure the network, ahead of an attack.”
If more organizations can implement these best practices the way they have data backups and other security measures, we’ll hopefully “see ransomware revenue continue to fall in 2023 and beyond,” Chainalysis noted.
For more details on this update, check here.