Ransomware Variants Are on the Rise but Overall Gains Decline: Chainalysis

Victims appear to have become less willing to pay, according to a new report.

AccessTimeIconJan 19, 2023 at 1:00 p.m. UTC
Updated May 9, 2023 at 4:06 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

In 2022, ransomware hackers received $456.8 million from their victims, 40% less than the $765.6 million they pocketed in 2021, said blockchain analytics company Chainalysis in a new report. The trend was earlier noticed by another analytics firm, Crystal Blockchain. But the actual amount of proceeds might be higher because not all the crypto wallets controlled by ransomware hackers can be identified.

The decline reflects general dynamics in the ransomware industry, but only partially. According to ransomware researcher Allan Liska, who is a consulting system engineer at FireEye, ransomware attacks decreased from 2,865 to 2,566 between 2021 and 2022.

  • FBI Launches New Crypto Crimes Unit
    FBI Launches New Crypto Crimes Unit
  • Russian Authorities Say They’ve Dismantled REvil Ransomware Group at US Request
    Russian Authorities Say They’ve Dismantled REvil Ransomware Group at US Request
  • Key Takeaways From Senate Banking Committee’s Crypto Hearing
    Key Takeaways From Senate Banking Committee’s Crypto Hearing
  • What to Expect From Tuesday’s Crypto Hearings in DC
    What to Expect From Tuesday’s Crypto Hearings in DC
  • These numbers come from Liska’s analysis of websites where hackers publish data stolen from the compromised companies, pressuring them to pay ransom. However, this 10.4% drop in attacks is still smaller than a 40.3% drop in overall ransomware revenue, Chainalysis said.

    At the same time, the number of malicious programs attackers have been using to encrypt victims’ data “exploded in 2022,” the report reads. Cybersecurity firm Fortinet identified 10,666 new ransomware variants in the first half of 2022, compared to just 5,400 over the same period of 2021. However, only a few of the variants bring attackers significant gains: “the vast majority of ransomware revenue goes to a small group of strains at any given time,” Chainalysis said.

    The reason researchers saw less money accruing to hackers last year is that the victims are becoming more reluctant to pay, Chainalysis said, citing cybersecurity firm Coveware. According to Coveware’s data, since 2019, the percentage of cases in which victims paid ransoms has fallen from 76% to 41%. One explanation for the drop might be the U.S. Treasury Department's Office of Foreign Assets Control advisory in September 2021, which warned companies against potential sanctions violation for paying ransomware hackers.

    Another reason may be that cyber insurance firms are now less willing to help their clients pay ransoms and insist on more stringent security measures to prevent attacks in the first place, the report says.

    The sprawling ransomware market allows attackers to buy access to multiple strains and juggle between them, collecting revenues from multiple victims. At the same time, the lifespan of each code variant is getting shorter: In 2022, the average ransomware strain remained active for just 70 days, down from 153 days in 2021 and 265 days in 2020, Chainalysis said.

    For example, the infamous Conti gang, which attacked the U.S. health care industry, among others, during the pandemic, got attacked itself after it “pledged alliance” to the Russian state in the war with Ukraine. After the group’s inside communications were leaked and published online (CoinDesk covered the leak last spring), Conti reportedly ceased operations.

    However, Chainalysis found that the wallets associated with Conti’s leading figures continue to receive revenues from various ransomware attacks. For example, the groups’ administrator nicknamed Stern has “transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise,” the report says.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Anna Baydakova

    Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.

    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.

    Read more about