In 2022, ransomware hackers received $456.8 million from their victims, 40% less than the $765.6 million they pocketed in 2021, said blockchain analytics company Chainalysis in a new report. The trend was earlier noticed by another analytics firm, Crystal Blockchain. But the actual amount of proceeds might be higher because not all the crypto wallets controlled by ransomware hackers can be identified.

The decline reflects general dynamics in the ransomware industry, but only partially. According to ransomware researcher Allan Liska, who is a consulting system engineer at FireEye, ransomware attacks decreased from 2,865 to 2,566 between 2021 and 2022.

These numbers come from Liska’s analysis of websites where hackers publish data stolen from the compromised companies, pressuring them to pay ransom. However, this 10.4% drop in attacks is still smaller than a 40.3% drop in overall ransomware revenue, Chainalysis said.

At the same time, the number of malicious programs attackers have been using to encrypt victims’ data “exploded in 2022,” the report reads. Cybersecurity firm Fortinet identified 10,666 new ransomware variants in the first half of 2022, compared to just 5,400 over the same period of 2021. However, only a few of the variants bring attackers significant gains: “the vast majority of ransomware revenue goes to a small group of strains at any given time,” Chainalysis said.

The reason researchers saw less money accruing to hackers last year is that the victims are becoming more reluctant to pay, Chainalysis said, citing cybersecurity firm Coveware. According to Coveware’s data, since 2019, the percentage of cases in which victims paid ransoms has fallen from 76% to 41%. One explanation for the drop might be the U.S. Treasury Department's Office of Foreign Assets Control advisory in September 2021, which warned companies against potential sanctions violation for paying ransomware hackers.

Another reason may be that cyber insurance firms are now less willing to help their clients pay ransoms and insist on more stringent security measures to prevent attacks in the first place, the report says.

The sprawling ransomware market allows attackers to buy access to multiple strains and juggle between them, collecting revenues from multiple victims. At the same time, the lifespan of each code variant is getting shorter: In 2022, the average ransomware strain remained active for just 70 days, down from 153 days in 2021 and 265 days in 2020, Chainalysis said.

For example, the infamous Conti gang, which attacked the U.S. health care industry, among others, during the pandemic, got attacked itself after it “pledged alliance” to the Russian state in the war with Ukraine. After the group’s inside communications were leaked and published online (CoinDesk covered the leak last spring), Conti reportedly ceased operations.

However, Chainalysis found that the wallets associated with Conti’s leading figures continue to receive revenues from various ransomware attacks. For example, the groups’ administrator nicknamed Stern has “transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise,” the report says.