More Ransomware Victims Are Declining to Pay ExtortionistsWhile Average Falls Below 30%, We're Still Far From Seeing Criminal Profits Dry Up
The number of victims who opt to pay a ransom appears to have declined to a record low.
During the last three months of 2023, an average of 29% of organizations hit by ransomware paid a ransom, said ransomware incident response firm Coveware, based on thousands of cases on which it worked. In the same time frame, cyber insurance provider Corvus said claims data shows 27% of its policyholders who were hit by ransomware paid a ransom.
The increase in victims' propensity to tell their attackers to take a hike, especially toward the end of 2023, is a notable shift from what ransomware watchers saw in recent years.
Ransomware: To Pay or Not to Pay?
What's led to a decline in the propensity of ransomware victims to pay a ransom? Fewer organizations are falling for the ransomware ruse of paying for what Coveware calls "intangible promises," such as criminals swearing they'll delete stolen data. Experts say there is no evidence ever, in the history of cybercrime, that such a promise has ever been honored. By contrast, an ever-increasing number of examples show that smooth-talking extortionists get their ransom and then continue to shake down victims.
"The industry continues to get smarter on what can and cannot be reasonably obtained with a ransom payment," Coveware said. "This has led to better guidance to victims and fewer payments for intangible assurances."
Some ransomware groups' barks are much worse than their bites. Recent revelations show how one group, RansomedVC, falsely claimed numerous victims - including State Farm Insurance, NTT Docomo and Sony - and sometimes backed those claims with data it either bought from an information broker or doctored itself.
Even in a worst-case scenario involving attackers publishing real stolen data, "the chances that something really bad will happen are pretty low," said Yelisey Bohuslavskiy, co-founder and chief research officer at New York-based threat intelligence firm RedSense. Empirically speaking, he said, whatever financial losses an organization might suffer from stolen data being leaked is far less than the ransom being demanded by their attacker. In many cases, he added, even if a group tries to leak the data, that doesn't mean anyone will ever see it.
Experts say the FBI has also been instrumental in driving fewer organizations to pay, thanks to its rapid, on-site victim assistance. "The main point of ransomware success is fear," Bohuslavskiy said, and "if you're in the United States, the local FBI cyber branches are extremely effective" at helping to combat that.
"They will find the right words, the right instructions and the right protocols to get you out of there. They're extremely effective," he told me, adding that beyond having steady hands, the bureau can sometimes also bring nonpublic capabilities or workarounds to bear to help victims.
Another factor driving organizations to not pay appears to be overall better business resilience capabilities at organizations. "Companies impacted by ransomware are increasingly able to recover from incidents partially or fully without the use of a decryption tool," Coveware said.
Ransomware experts have long said that even with a decryptor, victims likely won't restore their operations any more quickly than if they have working backups.
Every Dog Has Its Day
Many victims do appear to factor backups into their "to pay or not to pay" decision-making. "Organizations with recoverable backups were 27.4 times less likely to pay the ransom compared to victims without recoverable backups," according to a new study of 382 ransomware incidents in the Netherlands reported to authorities from 2019 to 2022. The results are due to be presented later this month at the e-Crime and Cybersecurity Congress in London.
When a victim does opt to pay, what's the going rate? Coveware said the median ransom amount paid by a victim remained steady at $200,000 during the second half of last year, while in the same time frame the average payment declined 33% to $569,000. It attributes the mean decrease to fewer groups pursuing big game hunting, which is targeting larger organizations in pursuit of larger ransoms. Likely, larger organizations' better business resilience capabilities led to fewer success stories for criminals.
Obviously, the number of victims who choose to pay a ransom hasn't reached anything near extinction levels, as millions of dollars' worth of cryptocurrency is still flowing to ransomware-wielding criminals annually. Even so, anything that helps counter the ransomware madness of recent years is cause for celebration. Fewer funds flowing to the bad guys makes the time-intensive business model less attractive, leaves less money to invest in research and development and helps disincentive such attacks.