Fewer ransomware victims are paying up. But there’s a catch


Image: Getty

Cyber criminals are making less money from ransomware attacks as victims increasingly refuse to pay their ransom demands.

Analysis by cryptocurrency and blockchain company Chainanalysis suggests that ransom payments dropped by 40% last year, declining from $765.6 million in 2021 to $456.8 million in 2022.

Meanwhile, cybersecurity researchers at Coveware have also suggested that the number of victims paying ransoms has declined significantly in recent years, dropping from 76% of victims in 2019, down to 41% of victims in 2022.

The figures don’t and can’t account for every ransomware attack but researchers suggest that the pattern is clear — fewer victims are giving into extortion demands and ransomware gangs are, overall, finding it harder to monetize attacks.

But that doesn’t mean ransomware attacks pose any less of a threat; cyber criminals are still hacking into networks and encrypting data, causing disruption to businesses, infrastructure, and everyday services — and even if victims aren’t giving into ransom demands, ransomware gangs are still leaking stolen information in retaliation.

According to Coveware, there are several reasons why the number of ransom payments has declined.

The first is that organizations are getting better at cybersecurity strategy and incident response planning, investing in protections such as backup software and hardware, so in the event of falling victim to a ransomware attack, there’s a means of retrieving the data without giving into the extortion demands.

And if the company has invested in a good cybersecurity strategy, it means they’re better equipped to deal with the fallout, even if an attack is successful.

“Companies that are better able to defend themselves do not succumb to attacks as frequently. Enterprises with well-practiced incident response processes are less likely to experience material impact (which may result in a ransom payment) when an attack is successful,” said Coveware researchers.

Researchers suggest the second reason for the decline in ransom payments is a change in approach from law enforcement, which has shifted from being purely focused on shutting down cyber-criminal operations and making arrests to directly helping victims of attacks, as well as providing advice and support on how to ensure the network is as robust against cyberattacks as possible.

The third reason for the decline in ransom payments is down to a self-fulfilling cycle; as fewer victims pay the ransoms, it becomes harder for ransomware gangs to make money, meaning that some groups are forced to cease operations because it just isn’t worth the time or effort if they’re not making a return.

Also: LinkedIn has massively cut the time it takes to detect security threats. Here’s how it did it

“The end result is a smaller number of cyber criminals actors that can make a living distributing ransomware, and ultimately fewer attacks,” said Coveware.

While the decline in ransom payments will be welcomed by many, it doesn’t mean that ransomware is no longer a threat. Because even if more victims are refusing to pay ransoms, organizations are still getting hit with ransomware attacks.

For starters, being hit with a ransomware attack and being locked out of files and servers will cause disruption — and when this lockout involves critical infrastructure or healthcare, it can have devastating and long-term impacts on people who rely on those services.

In addition, many ransomware operations now engage in what’s known as ‘double extortion’ attacks, which is where cyber criminals also use access to the network they’ve acquired to plant ransomware to steal sensitive information.

Also: Ransomware: Why it’s still a big threat, and where the gangs are going next

According to analysis of underground forums by cybersecurity researchers at Group-IB, there’s been a 22% increase in dark web data leaks following ransomware attacks over the last year.

The rise in data leaks could be linked to the rise in victims unwilling to pay the ransom, with cyber criminals publishing the stolen information in retaliation — although even when victims opt to pay the ransom, it’s not unknown for cyber criminals to take the money and publish the information anyway.

Ransomware remains a significant cybersecurity threat to organizations, but there are strategies that can be implemented to make it more difficult for ransomware gangs and other cyber-criminal groups to breach networks and make money from attacks.

Securing users with multi-factor authentication (MFA) can go a long way to stopping hackers from getting into the network, even if they know the right password. If used correctly, MFA not only prevents cyber criminals from exploiting stolen login credentials, but can also inform the user — and the security team — that passwords have been guessed or stolen. 

It’s also recommended that user accounts are secured with strong, unique passwords, so there’s a reduced risk of cyber criminals being able to use brute force attacks to crack common or simple passwords.

Organizations should also ensure security patches and updates are applied in a timely manner, to prevent cyber criminals from being able to exploit vulnerabilities with known fixes to gain access to accounts or networks.