The crypto crash, which has wiped out about $2 trillion in value and upended a once-fast-growing industry, has an unexpected twist: Even criminals are feeling the pinch.
Ransomware attacks have dropped sharply this year as perpetrators grapple with an economic downturn, the Ukraine war and the dramatic plunge in the prices of cryptocurrencies they’ve been routinely using to commit crimes.
“There is never any single reason why anything happens in cybersecurity [but] in this case, the thought that volatility in the crypto markets is a contributor to the drop in ransomware attacks makes sense,” said James Lee, chief operating officer of the Identity Theft Resource Center.
The number of ransomware attacks fell 20% sequentially in the second quarter, the first quarter-on-quarter drop since the ITRC began tracking ransomware attacks in 2018, the nonprofit organization said.
It’s not just the drop in the value of crypto. Enforcement efforts are having some impact, according to SonicWall, which recorded 236 million ransomware attempts globally in the first half of 2022. That’s down 23% year-over-year. On top of falling prices, “increased government and law-enforcement focus impacted both who cybercriminals chose to attack and how well they were capable of carrying out those attacks,” SonicWall said.
Ransomware had become such a big problem that the Biden administration last year urged U.S. businesses to focus more on securing their networks. Crypto’s rise has made curbing the attacks more challenging. Lee said that, since 2018, cryptocurrencies have been “the preferred method of monetizing ransomware attacks because of the difficulty in clawing back funds and the — up to recently — ever-increasing value of the coins.”
Last year, the Justice Department recovered $2.3 million in bitcoin ransom paid to DarkSide, the criminal group that hacked Colonial Pipeline. The DOJ subsequently announced the creation of a crypto enforcement team to go after criminal actors using cryptocurrencies.
Besides the drop in attacks, there are other signs of declining interest in laundering ransomware proceeds through crypto networks. Kenneth Goodwin, director of regulatory and institutional affairs at Blockchain Intelligence Group, said the crypto compliance and forensics company has recorded a decline in mixers typically used to obfuscate blockchain transactions, especially in illicit transactions.
It’s important to note that accumulating cryptocurrency itself is “not the end goal” of ransomware perpetrators, said Mark Manglicmot, senior vice president of security services at Arctic Wolf. After the victim pays the ransom, the criminals typically seek to convert it to fiat.
That becomes trickier “with fewer outlets for disposing of cryptocurrencies due to bankruptcies and reduction in crypto value,” Lee said. “It makes sense cybercriminals would look for other ways to make money that involve less risk.”
Price volatility clearly poses a problem for ransomware criminals, said Alma Angotti, a partner at Guidehouse. “They could just ask for more bitcoin, right?” she told Protocol. “They could just ask for 20 bitcoin instead of 10 or whatever. But if the price is gonna drop even further after they get it, that's probably a factor.”
The crypto slump is definitely not the only factor, Angotti said.
Many companies have also balked at paying up in ransomware attacks “because their insurance companies may not cover it,” she said, or they could get charged for violating the law.
“You could now also be hit with a sanctions violation besides having the money that you lost to the ransomware, so that's a problem,” she said.
Manglicmot argues that the Ukraine war probably plays a key role in the decline. “A lot of the threat actors are known to be based in Eastern Europe,” he said, which leads him to suspect that the decline in ransomware attacks is “likely because of where the attackers are based.”
Not everyone is convinced the data shows a long-term trend.
Sam Curry, chief security officer at Cybereason, said the more recent dip in ransomware attacks “might also have to do with summer slowdowns in IT — and people who might otherwise click on the wrong thing might just be on the beach with their families.”
Rick Holland, chief information security officer at Digital Shadows, agreed, saying “any perceived slowdown in extortion” should be considered “as a blip, not a trend.”
“The summer months typically see slower extortion activity,” he told Protocol. “Criminals take vacations too.”