The Future Is Here
We may earn a commission from links on this page

More Ransomware Victims Are Refusing to Pay Hackers

Although malware attacks aren't necessarily declining, cybercriminals' profits are, new analysis says.

We may earn a commission from links on this page.
Stock photo of ransom exchange
Organizations targeted by ransom-seeking cybercriminals may be wising up and opting not to pay.
Photo: vchal (Shutterstock)

Ransomware cyber-gangs made about $456.8 million in 2022. It sounds like a lot of money until you compare it to the record estimated profits from 2021: $765 million. All told, hackers managed to extort 40% less from their victims this past year, vs. the year before, according to a new report from Chainalysis published Thursday.

But that drop in profit doesn’t mean the number of ransomware attacks—in which bad actors demand payment in exchange for stolen and encrypted data—is down by the same proportion, the analysis notes. “Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay.”


Most ransomware payments and extortion takes place on the blockchain via cryptocurrency. To come up with the estimates of ransomware profit, Chainalysis analysts tracked funds moving between Bitcoin wallets known to be linked to ransomware crews. It’s an imperfect method, which the report authors note likely results in a significant undercount of total funds paid to ransomware groups. In fact, the U.S. Treasury Department estimated that 2021's payments reached $1.2 billion, much higher than Chainalysis’ $765 million estimate. However, the company says the trend still holds—using the same methods year to year, Chainalysis has found way less money exchanging hands.

Other analyses have found that ransomware attacks declined between last year and 2021's pandemic-related peak. Allan Liska, a ransomware expert at intelligence firm Recorded Future, told Chainalysis that he estimated the number of attacks dropped by about 10.4%. And one study from security firm Delinia estimated a massive 61% decline in attacks—which would be more than enough to explain the profit drop on its own. However, some experts believe those observed declines come down to a lack of information, not a true drop in malicious attacks.


Plus, the Chainalysis report isn’t the first to suggest that, on top of major attacks waning, victims are paying cyber ransoms less and less frequently. Coveware, a firm that helps victims respond to cyber extortion, noted that fewer organizations and companies gave into ransom requests in 2022, in a July report. Coveware’s CEO, Bill Siegel, further told the BBC that in 2022, just 41% of his clients paid ransoms, compared with 70% two years prior.

Additionally, increasing awareness of and preparation for ransomware attacks, along with some high profile busts, seem to have made targeting large, Western companies and organizations less palatable. Instead, cybercriminals are going after smaller, lower-profile companies and institutions, according to Chainalysis’ report.

At least two U.S. states, Florida and North Carolina, have banned agencies or organizations that receive taxpayer funds from making ransomware payments. And, though once they might have advised otherwise, federal authorities now discourage fulfilling cybercriminals’ payment requests. As the FBI notes, “paying a ransom doesn’t guarantee you our your organization will get any data back. It also encourages perpetrators to target more victims.”

Even though the reduction in payouts, and drop in overall attacks is encouraging, it’s doesn’t mean cybercriminals have thrown in the towel. In fact, there are more strains of ransomware in operation in 2022 than in previous years, according to Thursday’s report. Cybersecurity company Fortinet found over 10,000 unique strains active in the first six months of 2022. And each of these malware strains is persisting for a shorter period of time. In response to increasing awareness and enforcement, would-be hackers seem to be innovating faster than ever.


And big fish are still getting fried. Recent notable ransomware attacks have targeted the U.K.’s mail service, international media outlets like The Guardian, Los Angeles’ public schools, and health insurance and hospital systems.