Cybersecurity firm Coveware has found that more and more organizations being attacked by ransomware gangs are beginning to realize that paying the ransom is completely useless and are choosing to refuse to pay, resulting in an all-time low of 28% of ransomware victims choosing to pay the ransom in the first quarter of 2024.
It is reported that the reason why more and more organizations choose to refuse to pay the ransom is that the victim organizations are slowly becoming able to resist encryption attacks and are able to organize a team of security personnel to resume business operations without the need for decryption keys. In addition, victims also find that even if the ransom is paid, the stolen data can still be leaked or even retraded.
For a variety of reasons, many ransomware victims choose to refuse to pay the ransom.
Coveware also gave examples of the LockBit ransomware that has been spotted multiple times after receiving the ransom and still holding the victim's stolen data. In addition, many researchers have paid the ransom for the stolen data of Hive ransomware victims, and the attackers are still "waiting for a sale" on the Hunters International leak website.
The operation of the above two veteran ransomware gangs is very common in the entire ransomware "ecosystem", which proves time and time again that even if the victim pays the ransom after a ransomware attack, it still cannot "spend money on the matter", resulting in more and more victims choosing to refuse to pay the ransom in recent years.
Ransom Payout Rate - Time Change (Source: Coveware)
Not only did the ransom payout rate reach an all-time low, but Coveware also noted in the report that the average ransom payout also decreased by 32% month-over-month and is currently $381,980.
It should be noted that while the payout percentage, as well as the average payout amount, has dropped significantly, the median ransom payment has increased by 25% quarter-over-quarter to $250,000, and the amount paid to ransomware gangs is higher than ever, reaching $1.1 billion in 2023, according to a report by Chainalysis.
y'ing ah y' (yy.y.)
The decline in the average ransom payment and the rise in the median ransom payment indicate a gradual decrease in the proportion of "high-value" victims of ransomware, which may be due to the ransom demands becoming more "modest" or fewer and fewer high-value targets choosing to "give in".
y y'y(y.) (y:Coveware)
The ransomware "ecosystem" is being reshaped
As large ransomware gangs such as LockBit 2.0 and Alphv/Blackcat "disintegrate" and many of their affiliates begin to look for a safer "harbor" in the "storm", other smaller ransomware-as-a-service (RaaS) ransomware gangs are trying to attract these affiliates to the camp.
A few days ago, Sophos X-Ops security researchers discovered 19 "cheap", poorly constructed ransomware variants. Christopher Budd, director of threat research at Sophos, said that while these ransomware variants don't demand million-dollar ransoms like Cl0p and Lockbit gangs, they do have a serious impact on small and medium-sized businesses.
Most active ransomware groups in Q1 2024 (Source: Coveware)
Finally, GuidePoint researchers advise ransomware victims (mostly small and medium-sized businesses) to think twice before paying small/immature RaaS ransomware gangs, mainly because these gangs often exaggerate, boast about their "successes," and are untrustworthy and will extort their victims again.
References:
https://www.bleepingcomputer.com/news/security/ransomware-payments-drop-to-record-low-of-28-percent-in-q1-2024/#google_vignette
https://www.helpnetsecurity.com/2024/04/19/ransomware-q1-2024-payments/