Even if blackmail Trojans are still booming: According to a study, cybercriminals earned significantly less in 2022 than in the previous year.
According to a study by the blockchain analysis company Chainalysis 2022, the ransomware business was significantly less profitable. According to this, cybercriminals were able to extort ransom payments worth around 456.8 million US dollars in cryptocurrencies from their victims last year. In the previous year, it was still 756.6 million US dollars – a decrease of around 40 percent.
However, this is not an indication that there were fewer ransomware attacks in 2022 than in the previous year, the analysts write. They see the reason more in the dwindling willingness of the victims to pay the attacker a ransom for their encrypted data. Irrespective of this, the number of active ransomware variants has literally exploded, explains Chainalysis, citing security researchers from Fortinet. The lion’s share of the ransom revenue falls on a relatively small number of Trojans such as Hive or Blackcat.
Overall, Chainalysis assumes a relatively manageable field of cybergangs that make up the scene. The “ransomware-as-a-service” business model is very common, with malware developers allowing other cybercriminals to use their creations at a discount from the proceeds. Regularly, new ransomware “brands” would be invented for the “service” customers to use. Because of the high dynamics, the field of actors then seems larger than it is. This also indicates, for example, that in many cases the same wallets are used as a target for ransom with different blackmail Trojans.
The major mainstream cryptocurrency exchanges seem to be the most popular among cybercrooks to transfer the ransomware funds looted for ransom into regular currencies. Almost half of the funds (48.3 percent) were exchanged directly, Chainalysis explains. In the previous year, it was still around 39 percent. 15 percent flowed into mixing services, a slight increase over the previous year.
However, Chainalysis also points out that the actual ransom amounts are most likely even higher. It can be assumed that the ransomware attackers have cryptocurrency addresses that have not yet been identified in the blockchains.