Ransomware Payments Down By 40% in 2022

2 min read


Ransomware groups extorted $456.8 million from organizations in 2022, less than the last two years.

Technical Summary:

2022 saw a lot of attacks such as phishing, DDoS, and ransomware, specifically ransomware groups extorting $456.8 million from companies. This marked a drop in money extorted by 40% from the previous two years that saw record-breaking highs with it being $765 million. 

The decline in ransomware profits isn’t from fewer attacks but is stimmed by victims deciding not to pay the hackers. Ransomware in general was very active in 2022, with thousands of file-encrypting malware strains targeting organizations of all sizes and sectors. 

Due to payments decreasing this also resulted in the average lifespan of a ransomware strain dropping from 153 days in 2021 to just 70 in 2022. Despite multiple extortion tactics such as leaking data and file encryption of DDoS attacks, victims are still refusing to pay the ransom and meet the attacker’s demands. 

Coveware a cyber threat intelligence firm has identified the trend since 2019 and stated that the victim paying rates are constantly going down. In 2019 76% of victims decided to pay the ransom while 26% decided to not pay and deal with the consequences. Since then each year the percentage of victims paying has gone down and the victims that did not pay has gone up by 19=20%.

Attack Tactics, Techniques & Procedures:

Resource Development (TA0042)

  • Compromise Accounts (T1586) 
  • Compromise Infrastructure (T1584) 

Credential Access (TA0006) 

  • Exploitation for Credential Access (T1212)

Impact (TA0040)

  • Data Manipulation (T1565) 
  • Data Destruction (T1485)
  • Data Encrypted for Impact (T1486)
  • System Shutdown/Reboot (T1529) 

Reconnaissance (TA0043)

  • Gather Victim Identity Information (T1589) 
  • Gather Victim Identity Org Information (T1597)

Initial Access (TA0001)

  • Valid Accounts (T1078)

Affected Assets and Organizational Impact:

Ransomware attacks can have severe consequences on organizations ranging from files stolen, loss of revenue, and a tarnished reputation due to the severity of the attack. Many popular groups like LockBit, Hive, Cuba, Royal, Ragar, and BlackCat emerged through 2022 as the new ransomware-as-a-service groups. All the main groups I mentioned above makeup 75% of all ransomware strains distributed to victims. 

Mitigation & Response:

This past year has taken a turn for the better, 2022 was the first year that more ransomware victims did not pay. The approach changing stems from victims realizing that paying the ransom does not guarantee their files will be given back or not deleted. Another reason is that the perception of ransomware attacks has matured, and companies know what kind of news it brings if they were to pay to cause their reputation to be tarnished. Lastly, organizations may be implementing better backup strategies that allow them to fully recover easier if they were a victim of a ransomware attack.