Extortion payments from ransomware, a hacking scourge that has crippled hospitals, schools and public infrastructure, fell significantly last year, according to federal officials, cybersecurity analysts and blockchain firms.
After ballooning for years, the amount of money being paid to ransomware criminals dropped in 2022, as did the odds that a victim would pay the criminals who installed the ransomware. With ransomware, hackers lock up a victim’s computer network, encrypting hard drives until victims pay.
Alphabet Inc.’s Mandiant cybersecurity group said it had responded to fewer ransomware intrusions in 2022—a 15% decrease from 2021. CrowdStrike Holdings Inc., another U.S. cybersecurity firm, said it saw a drop in average ransom-demand amounts, from $5.7 million in 2021 to $4.1 million in 2022, a decline the company attributed to disruption of major ransomware gangs, including arrests, and a decline in crypto values. Ransomware payments are generally made using cryptocurrency.
The blockchain-analytics firm Chainalysis Inc. says that payments that it tracked to ransomware groups dropped by 40% last year, totaling $457 million. That is $309 million less than 2021’s tally.
“It reflects, I think, the pivot that we have made to a posture where we’re on our front foot,” Deputy Attorney General Lisa Monaco said in an interview. “We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”
The hacking groups behind ransomware attacks have been slowed by better company security practices. Federal authorities have also used new tactics to help victims avoid paying ransom demands. Asset seizures have disrupted major ransomware gangs, one of which recently had layoffs, cybersecurity officials say.
The evidence of progress reflects just one year of a decline and could amount to an aberration. While certain hacking methods can fall out of favor, the hackers themselves rarely stay quiet for long. Some firms and experts say they saw a worsening outlook in 2022 in certain business sectors as ransomware criminals searched for easier targets.
U.S. government sanctions against ransomware operators have been a deterrent, according to officials and companies involved in responding to ransomware infections. The FBI has managed to recover ransomware payments, including $2.3 million paid during a 2021 incident that shut down the Colonial Pipeline, a major fuel pipeline to the U.S. East Coast. And the FBI said last month that it disrupted $130 million in potential ransomware profits last year by gaining access to servers run by the Hive ransomware group and giving away the group’s decryption keys—used to undo the effects of ransomware—for free.
In the fall, about 45 call-center operators were laid off by former members of a ransomware group known as Conti, according to Yelisey Bohuslavskiy, chief research officer with the threat intelligence firm Red Sense LLC.
They had been hired as part of a scam to talk potential victims into installing remote-access software onto networks that would then be infected by ransomware, but the call centers ended up losing money, he said.
Companies have also stepped up their cybersecurity practices, driven by demands from insurance underwriters and a better understanding of the risks of ransomware following high-profile attacks. Companies are spending more money on business continuity and backup software that allow computer systems to restart after they have been infected.
With improved backups, U.S. companies are better at bouncing back from ransomware attacks than they were four years ago, according to Coveware Inc., which helps victims respond to ransomware intrusions and has handled thousands of cases.
Four years ago, 85% of ransomware victims wound up paying their attackers. Today that number is 37%, according to Coveware Inc. Chief Executive Bill Siegel. As more victims resist paying, hackers have looked for more lucrative targets. The average ransomware payout in the final quarter of 2022 was just over $400,000—up from around $300,000 during the last quarter of 2021, Mr. Siegel said.
“For financially motivated cybercriminals, they will go where the opportunities are profitable,” he said.
Some business sectors are thought to have suffered more damage this past year. Ransomware attacks against industrial organizations—including manufacturing, food and beverage and energy companies, increased in 2022, according to security firm Dragos Inc., which specializes in the cybersecurity of industrial systems.
Ms. Monaco and other law-enforcement officials have pushed over the past two years to rely less on solely charging foreign hackers, who may never see a courtroom. Instead, they dedicate resources to thwarting cyberattacks before they can do more damage, an approach they have likened to efforts to combat terrorism following the Sept. 11, 2001, attacks.
“We needed to change our orientation…to one where we are putting prevention first, disruption first, and putting victims at the center of our approach,” Ms. Monaco said, speaking Friday at the Munich Cyber Security Conference. “That means we are trying to break the business model of ransomware actors.”
Once considered more of a criminal nuisance, the Biden administration began labeling ransomware a national-security threat following the 2021 Colonial pipeline attack. After other major ransomware strikes that summer—all of which were linked to Russian-speaking criminal hackers—President Biden began pressing Russian President Vladimir Putin to limit ransomware attacks from Russia.
U.S. officials and cybersecurity experts said the pace of Russian ransomware attacks on U.S. organizations appeared to briefly ebb at the outbreak of the war a year ago, The Wall Street Journal previously reported. It wasn’t clear at the time whether the decline was a sign of prolonged improvement or a temporary disruption caused by the hostilities. Russia has denied U.S. accusations that its state security apparatus is involved with cybercrime or tolerates it.
Experts said that in some cases financially motivated hackers are migrating away from ransomware toward other methods of attacks, such as scams to obtain payment-card data.
“Just because traditional ransomware has slowed down doesn’t mean threat actors have,” said Adam Meyers, senior vice president of intelligence at CrowdStrike.