Ransomware revenues drop by 40% as victims refuse payment

Ransomware gangs took $456.8 millions from victims in 2022. This is a decrease of 40% from the $765 million record set the two previous years.

Chainalysis data shows that this dramatic drop in ransomware profit is not due to fewer hackers but victims refusing to pay them.

Ransomware profits per year


The most prolific year in ransomware activity was 2022, when thousands of file-encrypting malware variants targeted organizations of all sizes.

The average ransomware lifetime fell from 153 days to 70 days, likely because of diminishing profits.

Lifespan of ransomware families


The year was marked by the end of the Conti operation and the emergence of new ransomware-as-a-service activities like Royal, Play, and BlackBasta. The ransomware operators behind LockBit and Hive, BlackCat, Ragnar, Cuba, BlackCat, Ragnar, and BlackCat continued to have a steady stream of victims through 2022.

Ransomware gang activity per quarter


Victims will not pay

Ransomware hackers employ multiple methods to extort victims, including DDoS attacks and file encryption. Ransomware operators use multiple extortion tactics, such as DDoS attacks and threats to leak data, or to notify data protection authorities about a breach. However, victims are refusing to comply with the demands of these threat actors.

Coveware, a cyber-intelligence company says that there is a trend in victim payments rates since 2019, which it has identified from its statistics.

2019 ransomware victims paid 76%, while 24% of them dealt with the consequences. In 2022, 59% of ransomware victims decided not to pay the ransom.

Ransomware payment percentage


Both attackers as well as defenders have experienced a major psychological shift in the past year. 2022 marked the first year that ransomware victims chose not to pay. The behavior shift reflects a change of attitude and perception towards ransomware attacks.

Three things can explain this change:

  1. They realize that they cannot pay the ransom to guarantee their files are returned and that threat actors can delete them.
  2. Ransomware attacks have become more commonplace. Data leaks that result from them can often cause brand reputation damage.
  3. Companies are implementing better backup plans that are required by ransomware insurance insurers. This often gives them the ability to recover their IT infrastructure after an attack.

Although ransomware attacks are being handled differently by victims than they were two years ago is it still possible to dissuade the attackers from paying them.

Ransomware attacks are a threat as long as hackers pay more to victims or the proportion of ransomware victims that is high,