Ransomware operations are becoming less profitable

As the number of real (and fake) victims of ransomware gangs continues to rise, the number of ransomware payments is falling, along with the average ransom payment.

The reasons behind this decrease are many: increased cyber resilience of organizations (which includes having recoverable backups), the availability of decryptors created by law enforcement and cybersecurity companies, more frequent law enforcement actions, and so on.

“Despite the surge in attacks in 2023, ransomware attacks involving payments decreased by 46%, according to our data,” says blockchain analysis firm Chainalysis.

“Essentially, it seems that while deploying ransomware has become easier due the professionalization of the criminal underground and lower barriers-to-entry, it is perhaps harder to profit from these activities.”

The effect of law enforcement takedowns

As we wait for international law enforcement to reveal additional information about actions taken against the LockBit ransomware gang, Chainalysis has outlined other effects of the recent law enforcement victories against that and other cybercriminal groups.

According to them, the 2023 Qakbot botnet disruption has had a short-lived effect: the takedown affected the peddlers of that specific malware, but ransomware groups found alternatives for delivering the ransomware to intended targets.

The 2024 LockBit infiltration and disruption and the associated revelations staggered throughout several days have “compromised the foundational trust within the LockBit community, significantly undermining LockBit’s operations and leaving its affiliates in disarray.”

As the tit-for-tat continues, there is no doubt that the group’s operation has been considerably affected and that some of its affiliates have defected. Today’s revelations are likely to stress its functioning even further.

Law enforcement’s 2023 takeover of ALPHV/Blackcat leaks sites and the creation of a decryption tool has initially had a small effect on the group’s operations. Still, it may have had something to do with the group’s ostensible disbandment earlier this year, after they cheated the affiliate responsible for the United Health/Change Healthcare hack out of their due share of the paid ransom ($22 million).

“BlackCat’s exit marks a major disruption in the ransomware payment ecosystem, as the group was capturing over 30% of all ransomware payments before the exit scam,” Chainalysis’ analysts noted.

“The implications of an exit scam does not bode well for any future iterations of the group. This incident has significantly tarnished the group’s reputation, and perhaps more generally, planted seeds of doubt in the ransomware-as-a-service business model.”

Concerted efforts for long-term effects

While some of the law enforcement disruptions had a larger initial effect, others may turn out to have a greater impact in the long run.

Ransomware gangs and their affiliates have demonstrated persistence and adaptibility, but cracks in the ecosystem are beginning to show.

“The ongoing decrease in ransom payments, despite a reported increase in the number of attacks, reflects the growing reluctance of victims to comply with the demands of cybercriminals. Sanctions and a broader aversion among organizations to fund criminal activities speaks to an evolving sentiment where paying ransoms is increasingly seen as unacceptable or unnecessary,” the Chainalysis team pointed out.

Concerted and consistent efforts by private sector organizations and law enforcement are essential for minimizing the threat of ransomware.

“Actions that increase the perceived risks, distrust, and operational downtime for affiliates can create a lasting impact on their activities,” the company added.

“Innovative disruption strategies involving a whole-of-government approach targeting every part of the cybercriminal ecosystem — from the infrastructure, to the laundering mechanisms, to arrests, sanctions, and asset seizures, along with the use of blockchain intelligence tools, are essential for understanding and counteracting the affiliates’ adaptation mechanisms.”