It wasn’t long ago when it seemed like ransomware had the world by the throat. In 2020, a study surveying over 5,000 IT managers found that ransomware hit over half of them in the prior year. Another study showed that 80% of victims who paid a ransom experienced another attack soon thereafter. Meanwhile, in Q1 of 2019, more than eight out of 10 ransomware targets paid the ransom, according to a separate Coveware report.

The federal government and many security professionals strongly advise against paying cyber extortionists. Still, when you lose access to critical business files, the temptation to pay to get them back is significant. A new report has shown, however, that ransomware ransom payment rates have dropped dramatically. What’s behind this encouraging new trend?

Percent of Ransomware Payers Cut by More Than Half

In Q1 of 2019, a whopping 85% of victims of ransomware were paying the ransom. In Q4 of 2022, the percentage paying ransom plummeted to 37%, according to a recent Coveware report. The report also states that on an annual basis, 41% of victims paid in 2022 compared to 76% in 2019.

Given the continuous advance of cyber crime, it’s great to hear some good news. Let’s look at some potential reasons for this trend.

Companies More Prepared Against Ransomware

One of the main reasons for the drop in ransomware ransom payments is that enterprises are investing more in security and incident response planning, as per Coveware. The potential existential risk posed by ransomware attacks has led to a significant increase in security funding. High-profile attacks, like the one on Colonial Pipeline, have played a critical role in initiating this wave of investment in security and continuity assets. The increased awareness is also evident in the higher search volume for keywords like “immutable backups.”

Immutable backups can be created by writing data to a storage location that is intentionally made read-only. Once the data is written, it cannot be modified, altered or deleted. The backup data remains unaltered and accessible in case of a ransomware attack or other data breach. Immutable backups are often used in industries such as finance, health care and government, where data integrity and security are critical.

Meanwhile, cybersecurity incident response planning enables companies to prepare for and respond to potential security breaches. This involves creating a plan of action that:

  • Outlines steps to take in the event of a security incident.
  • Identifies key personnel involved.
  • Defines roles and responsibilities.

Incident response planning also includes testing the plan through simulations and drills to ensure effectiveness. Continuous updates should keep the plan fresh based on lessons learned from previous incidents. The goal of incident response planning is to minimize the impact of a security incident and restore normal operations as quickly as possible.

Law Enforcement Steps Up to Fight Ransomware

Coveware also cites the shift in law enforcement strategy as an important factor contributing to the decline in ransomware payments. Rather than solely focusing on making arrests, law enforcement now places more emphasis on assisting victims and imposing costs on those who profit from cyber crime. One example is penalizing cryptocurrency platforms for violating cybersecurity regulation. This strategic shift has yielded tangible results for numerous ransomware victims.

Profitable Ransomware is Expensive

Another important factor contributing to the decline in ransomware payments is the tightening economics of cyber extortion, as per the Coveware report. As the profitability of ransomware efforts decrease, the operating costs of carrying out an attack increase. This occurs partly due to improved security efforts adopted by organizations. Now, attacks must be more sophisticated — and more expensive — to be successful.

Furthermore, with fewer victims paying ransom, profitability for cyber criminals decreases. The result is a compounding effect that ultimately reduces the number of actors who can sustain themselves through ransomware distribution. Coveware stresses that attacking the economics of cyber crime is the most effective way to counter the threat of ransomware.

Why Ransomware Payment Sizes Are Increasing

Despite the fact that fewer companies are paying ransoms, the report states that the average and median ransom amounts have increased ($408,643 and $185,972 respectively in Q4 2022). This may result from cyber criminals adjusting their tactics in response to the declining profitability of ransomware attacks, according to Coveware.

Apparently, ransomware groups are targeting larger organizations, as the median victim size increased to 275 employees: a 10% increase from Q3 2022. By targeting larger organizations, threat groups hope to justify larger initial ransom demands even though their success rate is declining. This shift in strategy highlights the importance of continuing to invest in effective cybersecurity measures to prevent and mitigate ransomware attacks.

Rise of Ransomware Re-Extortion

Another indicator of the decreasing value of ransom payments is the emergence of re-extortion incidents. Re-extortion involves the threat actor making a second demand for more money after the victim has already paid an initial ransom. Re-extortion is distinct from double extortion, where the attacker both encrypts a network and threatens to leak or sell exfiltrated data.

Historically, lower-end ransomware groups targeting smaller companies tended to use re-extortion as a tactic. This development underscores the importance of maintaining robust cybersecurity measures, even for smaller organizations that may seem like less lucrative targets.

The spread of re-extortion by ransomware-as-a-service (RaaS) groups targeting larger organizations is a telltale sign of financial pressure. Threat actors are increasingly reluctant to let go of a victim who has paid without attempting to extract more money. Even self-proclaimed “reputable” threat groups are resorting to this amateurish deception technique.

All this underscores the unpredictable nature of the current ransomware landscape. New groups are less concerned than their predecessors with maintaining a “clean” reputation. Also, past negotiations that did not involve deceptive practices cannot be taken as a reliable predictor of future behavior.

Ransomware On the Ropes

Ultimately, the driving force behind ransomware activity is economic. When the economics are unfavorable, attackers will resort to deceitful and duplicitous methods to recoup their losses. Still, it’s encouraging to see that fewer victims are paying the ransom.

Cybersecurity, incident response and law enforcement efforts are working against ransomware. So let’s keep up the good work.

More from News

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read

Will Threat Actors Face Layoffs in 2023?

2 min read - You can’t look at the news these days without reading about layoffs in the technology sector. Roger Lee, founder of told that more than 120,000 tech employees lost their jobs in 2023 as of Feb 27, compared to 161,411 in all of 2022. However, all layoffs aren’t bad news. Most people don’t think of criminals losing their jobs. But if the criminal activity isn’t making money, then it makes no sense to continue. And that is happening in…

2 min read