Fewer companies that are attacked with ransomware are coughing up extortion payments demanded by hackers, according to new research from Chainalysis.
In findings published Thursday, the blockchain forensics company estimated that ransom payments -- almost always paid in cryptocurrency -- fell 40% to $456.8 million in 2022, from $765.6 million in 2021.
"That doesn't mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest," according to the report. "Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers."
Chainalysis also said the actual totals could be much higher, as some cryptocurrency addresses controlled by ransomware attackers have not yet been identified by its researchers.
Ransomware is a type of cyberattack in which hackers encrypt a victim's data files and demand a payment to unlock them. More recently, ransomware groups also have been stealing data, threatening to publish it online unless the company pays.
The research from Chainalysis is supported by data from cyber-incident-response company Coveware, which said the number of its clients paying a ransom after an attack has steadily decreased to 41% in 2022, from 76% in 2019.
One reason ransom payments may be going down is that such attacks now come with increasing legal risk as the U.S. government has been aggressively issuing sanctions against cryptocurrency companies that facilitate illegal activity, including laundering ransomware payments. That means companies could face legal consequences for paying ransom payments to hackers.
"One of the biggest factors companies are taking into account when determining whether they should pay a ransom is how risky it would be legally -- particularly given that there's the danger they could be paying a sanctioned entity, which would have severe legal ramifications," said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis.
In addition, she said, "insurance companies are being much more strict about how and when their insurance payouts can be used -- oftentimes eliminating the ability to use them to make ransomware payments altogether."
The FBI advises companies against allowing ransomware payments.
Chainalysis research, meanwhile, also highlighted shifts in the ransomware marketplace.
For instance, Chainalysis reported that the number ransomware strains in operation exploded in 2022 and quoted cybersecurity firm Fortinet's research showing more than 10,000 unique strains being active in the first half of the year. Its researchers also found that the lifespan of a ransomware strain has steadily declined, to 70 days in 2022 from 265 in 2020.
Many of the hacking groups operate ransomware as a service, where a core group of administrators offer malware strains to "affiliates," who then conduct the attacks and return a fixed cut of the illicit proceeds.
Chainalysis researchers concluded that affiliates are carrying out attacks using several different ransomware strains. The administrators, meanwhile, rebrand themselves and switch between strains.
"The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred," said Bill Siegel, CEO and co-founder of Coveware, as quoted in the Chainalysis report. "It's the same criminals; they're just repainting their get-away cars."
Siegel didn't respond to a request for comment.