Ransomware gangs are finding it much harder to profit from their attacks as fewer victims are ransoms to obtain the decryption keys and prevent the exposure of stolen data, according to two recently released reports from the ransomware remediation firm, Coveware, and blockchain analysis firm, Chainalysis.
Coveware reports that in Q1, 2019, 85% of ransomware victims paid the ransom following an attack. Since then, the percentage making payments has been steadily declining, with just 37% of ransomware victims paying up in the last two quarters of 2022. Coveware said around 50% of organizations paid ransoms in 2021, compared to 41% in 2022. Chainalysis said total ransomware revenue fell by 40.3% year-over-year, dropping from $765.6 million in 2021 to $456.8 million in 2022. While ransomware victims do not always publicly disclose attacks or if a ransom has been paid, the figures strongly suggest there is an increasing unwillingness of victims to pay up.
There are several reasons for the decline in profits. Organizations have improved their defenses, are monitoring their networks more closely for signs of compromise, and have developed incident response plans for ransomware attacks that allow quicker recovery, so fewer organizations find themselves in a position where they have little alternative other than paying the ransom. Insurance companies have played a key role in improving defenses against ransomware. Bill Siegel, CEO, and co-founder of Coveware, said following large losses in 2019 from ransomware attacks, insurance companies updated their terms and conditions for their cyber insurance policies, requiring their customers to ensure that cybersecurity standards were maintained, including following best practices for backups, implementing multi-factor authentication, and developing and testing an incident response plan.
Chainalysis suggests that the legal risk from paying ransoms has increased and that this could also be a factor. Payment of a ransom to any ransomware group that has been sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) risks a significant financial penalty. If there is any potential connection between an attack and an entity on the OFAC sanctions list, paying a ransom is incredibly risky.
Get The HIPAA
Free and Immediate Download
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
Faced with dwindling profits, ransomware groups have changed their tactics, with some opting to target larger organizations in the hope of getting sizeable ransom payments, while others have started targeting smaller organizations due to the difficulty of getting larger organizations to pay up. According to Coveware, in the last quarter of 2022, the average ransom payment increased by 58% to $408,644 and the median payment increased by 342% to $185,972, which Coveware attributes to the decline in revenues forcing gangs to increase their ransom demands.
While it is becoming harder for cybercriminals to profit from ransomware attacks, that does not mean fewer attacks are being conducted. The data vary but suggest that the number of attacks has remained fairly constant or declined only slightly. There also appears to have been an increase in re-extortion, whether ransomware gangs demand further payments from victims after the ransom is paid. While this tactic was more common in attacks on smaller organizations, it is increasingly being used by ransomware groups that target medium- and large-size companies. Of course, one of the problems with this approach is victims will be even less likely to pay up.
The Federal Bureau of Investigation (FBI) discourages organizations from paying ransoms, but payment is not prohibited. The FBI encourages victims to report attacks even when the ransom is paid and provides assistance to victims. This approach appears to be working. By increasing the support provided to victims, organizations get the help they need to quickly mitigate attacks and the FBI gains valuable insights into how the groups are operating, allowing the agency to predict who the groups may target next. Threat intelligence can then be shared with those organizations to help them better defend against attacks.
With ransomware attacks becoming less profitable, this could prompt cybercriminals to abandon ransomware; however, with profits dwindling, ransomware gangs may get even more aggressive and could pile even more pressure on victims or conduct more destructive attacks. The advice from the FBI is to invest in defenses, implement an incident response plan, and call the FBI immediately in the event of an attack. Bryan A. Vorndran, assistant director of the FBI’s Cyber Division, said the FBI can put a cyber-trained agent on the doorstep of virtually any organization in the country within an hour of the incident being reported. That agent will then be able to provide timely assistance and help organizations recover quickly.