Researchers estimated that the total ransomware revenue dropped 40.3% in 2022, with several indicators signaling a drop in victims willing to pay or, perhaps, report payments.
According to a Chainalysis report released Thursday, total funds sent to known ransomware addresses globally fell from $765.5 million in 2021 to $456.8 million in 2022, with evidence suggesting that this huge drop is due to an increasing unwillingness on the part of victims to pay ransom demands rather than a decline in the actual number of attacks.
"Since 2019, victim payment rates have fallen from 76% to just 41%," the report noted. "One big factor is that paying ransoms has become legally riskier, especially following an OFAC advisory in September 2021 on the potential for sanctions violations when paying ransoms."
Indeed, governments' approach to dealing with ransomware response has continued to evolve.
In September 2021 OFAC advisory, the U.S. Treasury Department warned that it could take action against those who pay ransoms to entities on its sanctions list. In March 2022, Congress passed a legislation that requires critical infrastructure entities to report any ransom payments they make. Outside the U.S., the European Union has even tighter legislation on ransomware response, which allows member states to impose fines for paying ransoms under the Security of Network and Information Systems Directive.
According to Gartner, a technological research and consulting firm, the percentage of countries passing legislation to regulate ransomware payments fines will rise 30% by the end of 2025 from less than 1% in 2021.
However, despite the significant decline in ransomware revenue under tightening legislation over the past year, the implications of regulating ransomware payments are still controversial. Some experts argued that this drop might also be due to victims' unwillingness to report their ransomware payments for fear of legal consequences.
"Ransomware has severe consequences for an organization's brand and reputation, which results in many, if not most, ransomware incidents and payments going unreported. That is, unfortunately, the most likely reason for the apparent decline," said Dareen Guccione, CEO and Co-Founder at Keeper Security.
Apart from stricter government regulations, other factors could explain the drop in ransomware payments.
First, cyber insurance firms, which usually reimburse victims for ransomware payments, play an essential role in the decrease of ransomware payments.
"Cyber insurance has really taken the lead in tightening not only who they will insure, but also what insurance payments can be used for, so they are much less likely to allow their clients to use an insurance payout to pay a ransom," Allan Liska, intelligence analyst and ransomware expert at Recorded Future told Chainalysis.
Jason Rebholz, chief information security officer at Corvus Insurance, agreed with Liska and told SC Media that the tightened underwriting standards within the cyber insurance industry also play a critical role.
"In 2022, Corvus observed that only 32% of ransomware victims paid the ransom. This speaks less to the victim's willingness to pay and more to the increased investment in resilient backups. This takes the decision of whether they are forced to pay out of the equation. Thankfully, more organizations are positioning themselves to have backups available to restore operations without having to pay a ransom," Rebholz said.
In addition, the Russia-Ukraine war could also be contributing to a drop in ransomware revenue as tightening economic sanctions have made it harder for organizations to pay ransoms to Russian-originated actors.
"With the advent of Russia's invasion of Ukraine in early 2022, many state governments, including the US's OFAC, instituted sanctions on Russia, and this included ransomware payments made to Russia-based attacker organizations," Jordan LaRose, practice director for infrastructure services at NCC Group, told SC Media.
LaRose also said that deciding whether to pay an attacker is a risk-based decision under increasing regulations for ransomware payments and complicated political environments. "Both the awareness companies have, and the overall risk of making ransomware payments has increased exponentially in 2022 and continues to increase in 2023," he said.