Ransomware gangs extorted an estimated $456.8 million from victims throughout 2022, down about 40% from the record high of $765 million recorded in the previous two years.

According to data from blockchain analytics firm Chainalysis, this drastic drop in ransomware profits is not due to fewer attacks, but to victims refusing to pay hackers.

2022 has been one of the busiest years for ransomware activity, with thousands of strains of file-encrypting malware targeting organizations of all sizes.

However, likely due to declining profits, among other reasons, the average ransomware lifespan has dropped from 153 days in 2021 to just 70 days in 2022.

The year was marked by the end of Operation Conti and the emergence of new ransomware-as-a-service businesses like Royal, Play and BlackBasta. Meanwhile, ransomware operators LockBit, Hive, Cuba, BlackCat and Ragnar have maintained a relatively steady flow of victims throughout 2022.

The victims will not pay

Despite the multiple extortion tactics employed by ransomware operators – for example file encryption, DDoS attacks, threats to leak stolen data or to notify data protection authorities of a breach – an increasing number of victims refuse to respond to requests from threat actors.

Cyber-intelligence firm Coveware says there’s been an identifiable trend since 2019 in its stats, showing that victim payment rates are steadily declining.

In 2019, 76% of ransomware victims opted to pay the ransom while only 24% faced the consequences instead. This trend changed in 2022, as 59% of victims chose not to pay the ransom.

The past year has marked an important psychological turning point for both forwards and defenders. 2022 was the first year that more ransomware victims chose not to pay. This change in behavior highlights a change in the perception and approach to dealing with ransomware attacks.

This change can be attributed mainly to three things:

1. Victims realize that paying the ransom does not guarantee that they will get their files back and threat actors will delete the stolen files.
2. Public perception of ransomware attacks has matured, and data leaks resulting from these incidents tend to have a muted effect on brand reputation.
3. Organizations follow better backup strategies that are also required for ransomware coverage insurers, often giving them a way to restore their IT infrastructure in the event of an attack.

Even though victims are handling ransomware attacks differently than two years ago, completely discouraging operators by not paying them is still a distant goal.

As long as the percentage of paying victims is large or hackers are taking larger sums from higher value targets, ransomware attacks will be a current threat.