Light Dark
April 24, 2023 By Jonathan Reed 4 min read
News

It wasn’t long ago when it seemed like ransomware had the world by the throat. In 2020, a study surveying over 5,000 IT managers found that ransomware hit over half of them in the prior year. Another study showed that 80% of victims who paid a ransom experienced another attack soon thereafter. Meanwhile, in Q1 of 2019, more than eight out of 10 ransomware targets paid the ransom, according to a separate Coveware report.

The federal government and many security professionals strongly advise against paying cyber extortionists. Still, when you lose access to critical business files, the temptation to pay to get them back is significant. A new report has shown, however, that ransomware ransom payment rates have dropped dramatically. What’s behind this encouraging new trend?

Percent of ransomware payers cut by more than half

In Q1 of 2019, a whopping 85% of victims of ransomware were paying the ransom. In Q4 of 2022, the percentage paying ransom plummeted to 37%, according to a recent Coveware report. The report also states that on an annual basis, 41% of victims paid in 2022 compared to 76% in 2019.

Given the continuous advance of cyber crime, it’s great to hear some good news. Let’s look at some potential reasons for this trend.

Companies more prepared against ransomware

One of the main reasons for the drop in ransomware ransom payments is that enterprises are investing more in security and incident response planning, as per Coveware. The potential existential risk posed by ransomware attacks has led to a significant increase in security funding. High-profile attacks, like the one on Colonial Pipeline, have played a critical role in initiating this wave of investment in security and continuity assets. The increased awareness is also evident in the higher search volume for keywords like “immutable backups.”

Immutable backups can be created by writing data to a storage location that is intentionally made read-only. Once the data is written, it cannot be modified, altered or deleted. The backup data remains unaltered and accessible in case of a ransomware attack or other data breach. Immutable backups are often used in industries such as finance, health care and government, where data integrity and security are critical.

Meanwhile, cybersecurity incident response planning enables companies to prepare for and respond to potential security breaches. This involves creating a plan of action that:

  • Outlines steps to take in the event of a security incident.
  • Identifies key personnel involved.
  • Defines roles and responsibilities.

Incident response planning also includes testing the plan through simulations and drills to ensure effectiveness. Continuous updates should keep the plan fresh based on lessons learned from previous incidents. The goal of incident response planning is to minimize the impact of a security incident and restore normal operations as quickly as possible.

Law enforcement steps up to fight ransomware

Coveware also cites the shift in law enforcement strategy as an important factor contributing to the decline in ransomware payments. Rather than solely focusing on making arrests, law enforcement now places more emphasis on assisting victims and imposing costs on those who profit from cyber crime. One example is penalizing cryptocurrency platforms for violating cybersecurity regulation. This strategic shift has yielded tangible results for numerous ransomware victims.

Profitable ransomware is expensive

Another important factor contributing to the decline in ransomware payments is the tightening economics of cyber extortion, as per the Coveware report. As the profitability of ransomware efforts decrease, the operating costs of carrying out an attack increase. This occurs partly due to improved security efforts adopted by organizations. Now, attacks must be more sophisticated — and more expensive — to be successful.

Furthermore, with fewer victims paying ransom, profitability for cyber criminals decreases. The result is a compounding effect that ultimately reduces the number of actors who can sustain themselves through ransomware distribution. Coveware stresses that attacking the economics of cyber crime is the most effective way to counter the threat of ransomware.

Why ransomware payment sizes are increasing

Despite the fact that fewer companies are paying ransoms, the report states that the average and median ransom amounts have increased ($408,643 and $185,972 respectively in Q4 2022). This may result from cyber criminals adjusting their tactics in response to the declining profitability of ransomware attacks, according to Coveware.

Apparently, ransomware groups are targeting larger organizations, as the median victim size increased to 275 employees: a 10% increase from Q3 2022. By targeting larger organizations, threat groups hope to justify larger initial ransom demands even though their success rate is declining. This shift in strategy highlights the importance of continuing to invest in effective cybersecurity measures to prevent and mitigate ransomware attacks.

Rise of ransomware re-extortion

Another indicator of the decreasing value of ransom payments is the emergence of re-extortion incidents. Re-extortion involves the threat actor making a second demand for more money after the victim has already paid an initial ransom. Re-extortion is distinct from double extortion, where the attacker both encrypts a network and threatens to leak or sell exfiltrated data.

Historically, lower-end ransomware groups targeting smaller companies tended to use re-extortion as a tactic. This development underscores the importance of maintaining robust cybersecurity measures, even for smaller organizations that may seem like less lucrative targets.

The spread of re-extortion by ransomware-as-a-service (RaaS) groups targeting larger organizations is a telltale sign of financial pressure. Threat actors are increasingly reluctant to let go of a victim who has paid without attempting to extract more money. Even self-proclaimed “reputable” threat groups are resorting to this amateurish deception technique.

All this underscores the unpredictable nature of the current ransomware landscape. New groups are less concerned than their predecessors with maintaining a “clean” reputation. Also, past negotiations that did not involve deceptive practices cannot be taken as a reliable predictor of future behavior.

Ransomware on the ropes

Ultimately, the driving force behind ransomware activity is economic. When the economics are unfavorable, attackers will resort to deceitful and duplicitous methods to recoup their losses. Still, it’s encouraging to see that fewer victims are paying the ransom.

Cybersecurity, incident response and law enforcement efforts are working against ransomware. So let’s keep up the good work.

 |  |  |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
August 23, 2023

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

August 16, 2023

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

August 9, 2023

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

August 2, 2023

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature