April 24, 2023 By Jonathan Reed 4 min read

It wasn’t long ago when it seemed like ransomware had the world by the throat. In 2020, a study surveying over 5,000 IT managers found that ransomware hit over half of them in the prior year. Another study showed that 80% of victims who paid a ransom experienced another attack soon thereafter. Meanwhile, in Q1 of 2019, more than eight out of 10 ransomware targets paid the ransom, according to a separate Coveware report.

The federal government and many security professionals strongly advise against paying cyber extortionists. Still, when you lose access to critical business files, the temptation to pay to get them back is significant. A new report has shown, however, that ransomware ransom payment rates have dropped dramatically. What’s behind this encouraging new trend?

Percent of ransomware payers cut by more than half

In Q1 of 2019, a whopping 85% of victims of ransomware were paying the ransom. In Q4 of 2022, the percentage paying ransom plummeted to 37%, according to a recent Coveware report. The report also states that on an annual basis, 41% of victims paid in 2022 compared to 76% in 2019.

Given the continuous advance of cyber crime, it’s great to hear some good news. Let’s look at some potential reasons for this trend.

Companies more prepared against ransomware

One of the main reasons for the drop in ransomware ransom payments is that enterprises are investing more in security and incident response planning, as per Coveware. The potential existential risk posed by ransomware attacks has led to a significant increase in security funding. High-profile attacks, like the one on Colonial Pipeline, have played a critical role in initiating this wave of investment in security and continuity assets. The increased awareness is also evident in the higher search volume for keywords like “immutable backups.”

Immutable backups can be created by writing data to a storage location that is intentionally made read-only. Once the data is written, it cannot be modified, altered or deleted. The backup data remains unaltered and accessible in case of a ransomware attack or other data breach. Immutable backups are often used in industries such as finance, health care and government, where data integrity and security are critical.

Meanwhile, cybersecurity incident response planning enables companies to prepare for and respond to potential security breaches. This involves creating a plan of action that:

  • Outlines steps to take in the event of a security incident.
  • Identifies key personnel involved.
  • Defines roles and responsibilities.

Incident response planning also includes testing the plan through simulations and drills to ensure effectiveness. Continuous updates should keep the plan fresh based on lessons learned from previous incidents. The goal of incident response planning is to minimize the impact of a security incident and restore normal operations as quickly as possible.

Law enforcement steps up to fight ransomware

Coveware also cites the shift in law enforcement strategy as an important factor contributing to the decline in ransomware payments. Rather than solely focusing on making arrests, law enforcement now places more emphasis on assisting victims and imposing costs on those who profit from cyber crime. One example is penalizing cryptocurrency platforms for violating cybersecurity regulation. This strategic shift has yielded tangible results for numerous ransomware victims.

Profitable ransomware is expensive

Another important factor contributing to the decline in ransomware payments is the tightening economics of cyber extortion, as per the Coveware report. As the profitability of ransomware efforts decrease, the operating costs of carrying out an attack increase. This occurs partly due to improved security efforts adopted by organizations. Now, attacks must be more sophisticated — and more expensive — to be successful.

Furthermore, with fewer victims paying ransom, profitability for cyber criminals decreases. The result is a compounding effect that ultimately reduces the number of actors who can sustain themselves through ransomware distribution. Coveware stresses that attacking the economics of cyber crime is the most effective way to counter the threat of ransomware.

Why ransomware payment sizes are increasing

Despite the fact that fewer companies are paying ransoms, the report states that the average and median ransom amounts have increased ($408,643 and $185,972 respectively in Q4 2022). This may result from cyber criminals adjusting their tactics in response to the declining profitability of ransomware attacks, according to Coveware.

Apparently, ransomware groups are targeting larger organizations, as the median victim size increased to 275 employees: a 10% increase from Q3 2022. By targeting larger organizations, threat groups hope to justify larger initial ransom demands even though their success rate is declining. This shift in strategy highlights the importance of continuing to invest in effective cybersecurity measures to prevent and mitigate ransomware attacks.

Rise of ransomware re-extortion

Another indicator of the decreasing value of ransom payments is the emergence of re-extortion incidents. Re-extortion involves the threat actor making a second demand for more money after the victim has already paid an initial ransom. Re-extortion is distinct from double extortion, where the attacker both encrypts a network and threatens to leak or sell exfiltrated data.

Historically, lower-end ransomware groups targeting smaller companies tended to use re-extortion as a tactic. This development underscores the importance of maintaining robust cybersecurity measures, even for smaller organizations that may seem like less lucrative targets.

The spread of re-extortion by ransomware-as-a-service (RaaS) groups targeting larger organizations is a telltale sign of financial pressure. Threat actors are increasingly reluctant to let go of a victim who has paid without attempting to extract more money. Even self-proclaimed “reputable” threat groups are resorting to this amateurish deception technique.

All this underscores the unpredictable nature of the current ransomware landscape. New groups are less concerned than their predecessors with maintaining a “clean” reputation. Also, past negotiations that did not involve deceptive practices cannot be taken as a reliable predictor of future behavior.

Ransomware on the ropes

Ultimately, the driving force behind ransomware activity is economic. When the economics are unfavorable, attackers will resort to deceitful and duplicitous methods to recoup their losses. Still, it’s encouraging to see that fewer victims are paying the ransom.

Cybersecurity, incident response and law enforcement efforts are working against ransomware. So let’s keep up the good work.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations. Both reports shed light on the persistent and growing threat of…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today