The average payment made for ransomware attacks grew in Q2 of 2022; even so, the median payment dropped for two consecutive quarters, which means more ransomware attack victims opt not to pay up. The information is taken from the most recent quarterly report from Coveware, the ransomware remediation company. With the $228,125 average ransom payment in Q2 of 2022, there is an 8% increase compared to the past quarter. The $36,360 median ransom payment decreased by 51% from Q1 of 2022.
Coveware says that the current drop in payments shows the shifting profile of attacked organizations, with ransomware groups now seeming to spotlight attacking mid-market businesses. Attacking big companies is expensive because of their big investments in cybersecurity though the potential earnings are higher. Although ransomware attacks on mid-market companies suggest the ransom demands have to be lesser, the risks linked to attacks are likewise lesser. Mid-market companies seem to be the sweet spot. The revenue is high enough to make the attacks rewarding, and it is unlikely for the ransomware groups to experience pressure and action from law enforcement. Coveware furthermore notes an identified trend where companies are not engaging with ransomware groups when their initial ransom demand is too high.
When ransomware groups began data exfiltration before encrypting files, the number of victims that pay ransoms went up. Many victims opted to pay even when they had data backups to avoid the sale or disclosure of the stolen data to the public. In Q2 of 2022, theft and threats to disclose the stolen information publicly are involved in 86% of ransomware attacks. Although ransom payment is required to avoid the posting of stolen information, Coveware says that there’s proof that ransomware groups are not doing their promise to eliminate the data, which suggests the ransom payment was not required.
When a ransomware attack entails data theft, Coveware states that ransom payment doesn’t offset the possibility of harm, nor the liability to the victim to safeguard affected parties. Although a number of victims may consider ransom payment as a means to guard against potential class action lawsuits, ransom payment will not curb a meritless lawsuit, and there’s no case law to indicate that the possibility of a suit occurring, or the ensuing settlements or problems are mitigated by ransom payment, mentioned Coveware. Coveware additionally states that ransom payment doesn’t control brand damage nor indicate that an organization did everything to keep its customers safe.
After the shutdown of the Conti ransomware operation, the ransomware landscape in Q2 of 2022 changed. Ransomware attacks today are spread out more extensively throughout a number of smaller attacks, with BlackCat getting 16.9% market share, LockBit 2.0 getting 13.2%, Hive getting 6.3%, and Quantum, Conti V2, AvosLocker, Phobos, and Black Basta getting about 5% each. There seems to be a pattern where RaaS affiliates are spreading their attacks throughout several ransomware brands.
As in Q1 of 2022, the most common attack vector is email phishing, though RDP compromise is still prevalent. Attackers still take advantage of software vulnerabilities and other attack vectors, and Coveware states that affiliates aren’t restricting themselves to just one attack vector.
The most attacked sector in Q2 of 2022 was professional services with 21.9% of attacks, then the public sector with 14.4%, healthcare with 10%, and software services with 9.4%. The number of attacks on healthcare companies somewhat increased, which is mostly because of the Hive ransomware group extending its operations. The Hive ransomware group has no qualms regarding the conduct of attacks on the healthcare industry.