Proportion paying ransoms declines in Q1 2024, even as takings break a new record
Only 28% willing to meet ransomware gangs' demands
Statistics from cybersecurity firm Coveware reveal that organisations are increasingly refusing to pay ransomware extortion demands, which has led to a record low of 28% agreeing to pay in the first quarter of this year.
This compares with 29% paying up in the last quarter of 2023, continuing a downward trend observed since 2019. In Q1 2019 85% paid up, according to Coveware's figures.
It comes as organisations implement advanced protective measures, face regulatory pressure not to pay, and as the belief that cybercriminals will act according to their promises if a ransom is paid has diminished.
Nevertheless, the total amount raked in by ransomware gangs is higher than ever, according to a report by Chainalysis, reaching $1.1 billion last year and reflecting the sheer volume of attacks.
Ransomware groups are hitting more companies by increasing their attack frequency and demanding huge figures for not leaking stolen data and in return for providing the victim with a decryption tool.
Focusing on the first quarter of this year, Coveware's data shows a 32% quarter by quarter (QoQ) drop in the average ransom payment, now at $381,980, but a 25% or $250,000 QoQ increase in the median ransom payment. This indicates that fewer high profile targets are paying up, but more smaller organisations are.
In Q1, the vulnerabilities tracked as CVE-2023-20269 (Cisco), CVE-2023-4966 (NetScaler) and CVE-2024-1708-9 (ConnectWise) were most widely exploited, used by attackers to gain remote access to systems.
Coveware credited the disruption of LockBit by multiple law enforcement agencies as having a massive impact on one of the most active ransomware players. Such operations have reduced the confidence of other ransomware affiliates in RaaS operators, which has led to many flying solo.
"We have already seen an increase in Babuk forks in recent attacks, and several former RaaS affiliates using the ubiquitous, and almost free, Dharma/Phobos services," said the Coveware report. Some affiliates have decided to quit cybercrime altogether.
"Most participants in the cyber extortion ecosystems are not hardened criminals, rather they are individuals with STEM skills that live in jurisdictions lacking both extradition treaties, and sufficient legitimate economic opportunities to put their skills to use," said Coveware.
"Some of these people will view the increased risk of getting in trouble along with the risk of getting cut out of their income as enough reason to quit."
The most active gang in terms of the number of attacks in Q1 was Akira. It has held that position for nine months. Last week, the FBI stated that Akira was responsible for breaches in more than 250 organisations, collecting a total $42 million in ransom payments.