According to at least one cybersecurity company, ransomware payments are actually falling as fewer organizations pay the ransom demand.
Coveware, a ransomware recovery company, said in a blog on Monday that the average ransom payment in the last quarter of 2020 was $154,108, down 34% from the quarter prior. The median ransom payment also declined, this time by 55% from the third quarter.
That represents a decline in average payment from $233,817 to $154,108, and a decline in median payment from $110,532 to $49.450.
“The dramatic reduction was attributed to more victims of data exfiltration attacks saying ‘ENOUGH’ and choosing not to pay,” the company said in its blog.
With more companies falling victim, more are having the opportunity to constructively consider the trade offs, and are increasingly choosing not to pay. Attacking the raw economics of the cyber extortion economy from multiple angles is the best way to retract the volume of attacks.
When fewer companies pay, regardless of the reason, it causes a long term impact, that compounded over time can make a material difference in the volume of attacks. However, even with this single incremental data point, profit margins remain very high for ransomware actors, and risk of arrest also remains low.
Those encouraging figures are in spite of what Coveware says is an increase in ransomware attacks that threaten to release stolen data.
According to the company, the percentage of attacks that involved that threat increased from 50% in the third quarter to 70% in the fourth quarter.
However, fewer companies are giving in to that extortion, as 59.6% of victims declined to pay a ransom in the fourth quarter. In the quarter prior, an overwhelming majority – 74.8% — paid the ransom.
The 4th quarter of 2020 marked a turning point with the data exfiltration tactic. Coveware continues to witness signs that stolen data is not deleted or purged after payment.
Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur. These tricks and tactics put a premium on ensuring that threats are thoroughly validated.
According to Coveware, victims that pay a ransom should expect that the stolen data hasn’t been destroyed. Instead, they should assume that it was traded, sold, misplaced or held for a future extortion attempt.
Even if the attacker deletes data following a payment, other actors may have had access to it and made copies to use in future extortion attempts. In other cases, the data might be published before a response can be given.
Coveware also shed light on how threat actors are increasingly wiping data as opposed to just targeted destruction of backups or encryption of critical systems.
In Q4, Coveware received multiple reports from victims that entire clusters of servers and data shares had been permanently wiped out, with no recourse for retrieving the data even with the purchase of the decryption key. Ransomware actors are typically attentive when it comes to deleting data, as they know victims are only incentivized to pay for a tool if the data is still there, and merely encrypted.
The uptick in haphazard data destruction has led some victims to suffer significant data loss and extended business interruption as they struggle to rebuild systems from scratch. It remains unclear whether these events have been outliers or a symptom of less experienced bad actors handling the attack execution.
For more information on how ransomware tactics are evolving in 2021, read Coveware’s blog.