April 24, 2023 By Jonathan Reed 4 min read

It wasn’t long ago when it seemed like ransomware had the world by the throat. In 2020, a study surveying over 5,000 IT managers found that ransomware hit over half of them in the prior year. Another study showed that 80% of victims who paid a ransom experienced another attack soon thereafter. Meanwhile, in Q1 of 2019, more than eight out of 10 ransomware targets paid the ransom, according to a separate Coveware report.

The federal government and many security professionals strongly advise against paying cyber extortionists. Still, when you lose access to critical business files, the temptation to pay to get them back is significant. A new report has shown, however, that ransomware ransom payment rates have dropped dramatically. What’s behind this encouraging new trend?

Percent of ransomware payers cut by more than half

In Q1 of 2019, a whopping 85% of victims of ransomware were paying the ransom. In Q4 of 2022, the percentage paying ransom plummeted to 37%, according to a recent Coveware report. The report also states that on an annual basis, 41% of victims paid in 2022 compared to 76% in 2019.

Given the continuous advance of cyber crime, it’s great to hear some good news. Let’s look at some potential reasons for this trend.

Companies more prepared against ransomware

One of the main reasons for the drop in ransomware ransom payments is that enterprises are investing more in security and incident response planning, as per Coveware. The potential existential risk posed by ransomware attacks has led to a significant increase in security funding. High-profile attacks, like the one on Colonial Pipeline, have played a critical role in initiating this wave of investment in security and continuity assets. The increased awareness is also evident in the higher search volume for keywords like “immutable backups.”

Immutable backups can be created by writing data to a storage location that is intentionally made read-only. Once the data is written, it cannot be modified, altered or deleted. The backup data remains unaltered and accessible in case of a ransomware attack or other data breach. Immutable backups are often used in industries such as finance, health care and government, where data integrity and security are critical.

Meanwhile, cybersecurity incident response planning enables companies to prepare for and respond to potential security breaches. This involves creating a plan of action that:

  • Outlines steps to take in the event of a security incident.
  • Identifies key personnel involved.
  • Defines roles and responsibilities.

Incident response planning also includes testing the plan through simulations and drills to ensure effectiveness. Continuous updates should keep the plan fresh based on lessons learned from previous incidents. The goal of incident response planning is to minimize the impact of a security incident and restore normal operations as quickly as possible.

Law enforcement steps up to fight ransomware

Coveware also cites the shift in law enforcement strategy as an important factor contributing to the decline in ransomware payments. Rather than solely focusing on making arrests, law enforcement now places more emphasis on assisting victims and imposing costs on those who profit from cyber crime. One example is penalizing cryptocurrency platforms for violating cybersecurity regulation. This strategic shift has yielded tangible results for numerous ransomware victims.

Profitable ransomware is expensive

Another important factor contributing to the decline in ransomware payments is the tightening economics of cyber extortion, as per the Coveware report. As the profitability of ransomware efforts decrease, the operating costs of carrying out an attack increase. This occurs partly due to improved security efforts adopted by organizations. Now, attacks must be more sophisticated — and more expensive — to be successful.

Furthermore, with fewer victims paying ransom, profitability for cyber criminals decreases. The result is a compounding effect that ultimately reduces the number of actors who can sustain themselves through ransomware distribution. Coveware stresses that attacking the economics of cyber crime is the most effective way to counter the threat of ransomware.

Why ransomware payment sizes are increasing

Despite the fact that fewer companies are paying ransoms, the report states that the average and median ransom amounts have increased ($408,643 and $185,972 respectively in Q4 2022). This may result from cyber criminals adjusting their tactics in response to the declining profitability of ransomware attacks, according to Coveware.

Apparently, ransomware groups are targeting larger organizations, as the median victim size increased to 275 employees: a 10% increase from Q3 2022. By targeting larger organizations, threat groups hope to justify larger initial ransom demands even though their success rate is declining. This shift in strategy highlights the importance of continuing to invest in effective cybersecurity measures to prevent and mitigate ransomware attacks.

Rise of ransomware re-extortion

Another indicator of the decreasing value of ransom payments is the emergence of re-extortion incidents. Re-extortion involves the threat actor making a second demand for more money after the victim has already paid an initial ransom. Re-extortion is distinct from double extortion, where the attacker both encrypts a network and threatens to leak or sell exfiltrated data.

Historically, lower-end ransomware groups targeting smaller companies tended to use re-extortion as a tactic. This development underscores the importance of maintaining robust cybersecurity measures, even for smaller organizations that may seem like less lucrative targets.

The spread of re-extortion by ransomware-as-a-service (RaaS) groups targeting larger organizations is a telltale sign of financial pressure. Threat actors are increasingly reluctant to let go of a victim who has paid without attempting to extract more money. Even self-proclaimed “reputable” threat groups are resorting to this amateurish deception technique.

All this underscores the unpredictable nature of the current ransomware landscape. New groups are less concerned than their predecessors with maintaining a “clean” reputation. Also, past negotiations that did not involve deceptive practices cannot be taken as a reliable predictor of future behavior.

Ransomware on the ropes

Ultimately, the driving force behind ransomware activity is economic. When the economics are unfavorable, attackers will resort to deceitful and duplicitous methods to recoup their losses. Still, it’s encouraging to see that fewer victims are paying the ransom.

Cybersecurity, incident response and law enforcement efforts are working against ransomware. So let’s keep up the good work.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today