ARTICLE AD BOX
By Joe Tidy
Cyber reporter
Cyber-crime gangs have had a 40% drop in earnings as victims are refusing to pay ransoms, researchers say.
Cryptocurrency experts at Chainalysis say ransomware groups extorted at least $457m (£370m) from victims in 2022 - $311m less than the year before.
The true figures are likely to be higher, but experts agree that fewer victims are paying.
However, while there has been a drop in criminal revenue, the number of attacks is rising.
Companies, governments, schools and even hospitals around the world are regularly falling victim to ransomware hackers, who lock staff out of their IT systems until a ransom is paid, usually in Bitcoin.
The hackers often threaten to publish or sell stolen data too.
Recent high-profile victims include The Guardian newspaper, the Royal Mail delivery company and Sick Kids Canadian children's hospital.
Many ransomware crews are thought to be based in Russia, although Russian officials deny the country is a haven for the groups.
Tracking Bitcoin wallets
Analysts at Chainalysis track the money flowing in and out of Bitcoin wallets which are known to be owned by ransomware crews.
Researchers say the criminal proceeds will be much higher than those they can see, because the hackers are likely to use other wallets too.
Nonetheless, the company says, the trend is clear: ransomware payments are significantly down.
Bill Siegel, of Coveware, which specialises in negotiating with hackers, agrees.
His clients are becoming increasingly reluctant to give in to hackers, who can demand millions of dollars.
In 2022, 41% of his clients paid ransoms compared with 70% in 2020, he says.
No governments have made it illegal to pay hacker ransoms, but Mr Siegel and other cyber-experts think that US sanctions against hacker groups, or those with links to Russia's Federal Security Service, have made paying some groups legally risky.
"We refuse to pay ransoms if there's even a hint of connection to a sanctioned entity," Mr Seigel said.
Other factors may also be at play, including an increase in ransomware awareness leading to improved cyber-security at organisations.
"Hackers are definitely finding it harder to get paid for ransomware attacks," said Brett Callow, threat researcher at cyber-security company Emsisoft.
Companies have become better at protecting their back-ups, reducing their need to pay hackers for recovery, he added.
"Additionally, as ransomware attacks have become so common, they are less of a PR disaster for companies, making them less likely to pay to keep incidents quiet and out of the news."
Attacks on the rise
Despite the drop in revenue, the number of unique ransomware strains being used in attacks reportedly increased dramatically in 2022.
Research from cyber-security firm Fortinet found that more than 10,000 unique types of the malicious software were active in the first half of 2022.
The growth in the number of attacks last year could be connected with enforcement actions, mainly by the US authorities, which caused some of the largest ransomware groups to disband.
In November 2021, alleged members of the REvil gang were arrested around the world in a global police operation, with more than $6m in cryptocurrency retrieved by US authorities in a so-called "claw back" hacking operation.
It followed a similar operation by the US in June 2021 that took the Darkside gang offline and recovered $4.1m in stolen funds.
It is thought that these actions may have forced criminals to work in smaller groups and also knocked the confidence of gangs.
Criminals now seem to be carrying out a greater number of smaller attacks instead of going after large Western targets - so-called "big-game hunting" - where large payments are more likely.
"While big-game hunting may have gotten more challenging, it is still rewarding," said Jackie Burns Koven, head of cyber-threat intelligence at Chainalysis.
She warns ransomware is still extremely profitable and smaller-sized organisations should be even more vigilant as hackers spread their net wider in an effort to be paid.