71% of Ransom Demands Are Not Paid by Ransomware Attack Victims

The most recent information from the ransomware remediation company, Coveware, reveals a decline in the number of ransomware attack victims who opt to pay the ransom. At the beginning of 2019, 85% of ransomware attack victims gave ransom payments after an attack. In mid-2021, only 46% percentage paid the ransom. In Q4 of 2023, merely 29% of victims gave the ransom demand. In 2019, ransomware gangs began doing double extortion tactics, wherein the attacker acquires access to victims’ systems and exfiltrates the data before encrypting the files. Victims need to pay the ransom to get the file decryption keys and to stop the exposure or vending of the stolen information. For many victims, the primary reason why they paid the ransom was to stop the data leak as opposed to getting the keys for file decryption. Coveware mentioned that in ransomware attacks that are associated with data theft, in Q3 of 2023, just 26% of victims paid the ransom.

There are several reasons for the constant drop in ransom payments. One is readiness, for example making certain that a backup is created from all sensitive information and the backup is kept safely in a system where it can’t be encrypted during an attack. In case of attacks accompanied by data theft, giving the ransom can stop data exposure or the selling of the information; nevertheless, ransomware gangs cannot be trusted to eliminate the stolen information. There were attacks where despite giving the ransom payment, the attacker still exposed the data leak. Giving a ransom payment has resulted in more extortion and attacks. Law enforcement also cracked down in certain areas, so it is now illegal to pay a ransom.

Forbidding ransomware payments is one measure that the government may implement to control attacks. When paying a ransom to a ransomware group is not allowed, ransomware gangs would, theoretically, stop carrying out attacks in that state. Coveware states that the reality is not the same. The attacks would probably keep on and firms would quit reporting attacks and getting the help of authorities. It would be more difficult to trace ransomware attacks and police investigations of ransomware groups would be seriously affected. All the good work by the authorities to motivate victims to report attacks will be undone and when a ban is enforced, there will be a big illegal market.

In the United States, some states have enforced partial prohibitions on ransom payments, for example forbidding state institutions and agencies from paying ransom demands but these prohibitions do not seem to have the wanted impact, because there is no decline in ransomware attacks in those states. Coveware is convinced that prohibiting ransom payments results in capitulation. A ban would indicate that as a nation, it’s impossible to protect ourselves against the risk of cyber extortion.

Coveware’s information reveals the work made by organizations to get ready for ransomware attacks has paid off. Businesses are not being disabled anymore by file encryption and can retrieve their information without having to pay the ransom demand, and the work of authorities to break up and stop ransomware gangs has generated good results. This fight won’t be over in a single day. It will take years, but the battle can be won.

With earnings from ransomware attacks dropping, ransomware gangs have to do more attacks or raise their ransom demands, however, Coveware’s information indicates that ransom payments have declined. In Q4 of 2023, the average $568,705 ransom payments went down by 33% from Q3 of 2023. The median $200,000 payment in Q4 of 2023 remained the same as the previous quarter.

In Q3 of 2023, there was little change in the activity of ransomware groups. Akira maintained the number one spot having 17% of attacks, Blackcat conducted 10% of attacks, LockBit conducted 8%, and Play Ransomware conducted 6%. Nonetheless, the activity by smaller ransomware gangs and non-affiliated single-wolf actors increased. In about a third of attacks, the strategy employed to acquire initial access to victims’ systems was not identified. Of the other attacks, RDP exposure was the most frequent and has been growing since Q3 of 2022. Email phishing was the second most frequent initial access vector, though the use of this method dropped around the same time. The third most common initial access vector was the exploitation of software vulnerabilities, such as the Cisco ASA vulnerability (CVE-2023-20269).

From Q2 of 2022 to Q2 of 2023, ransomware groups preferred attacking large organizations. However, the average size of victim organizations fell as medium-sized organizations became the usual targets. It is easier to attack medium-sized organizations because their investment in cybersecurity is less than compared to big companies and they have big enough income to enable payment of big ransom demands. In Q4 of 2023, a victim company had an average size of 231 workers, which is down by 32% from Q3 of 2023. In Q4 of 2023, 22.2% of businesses in the professional services industry were attacked. The healthcare industry got 16% of attacks, while the public sector got 11.1% of attacks.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone