Average Ransom Payment Decreased by 34% in 1st Q of 2022

The average ransom payment associated with ransomware attacks diminished by 34% in Quarter 1 of 2022, from a record high in 4th Q of 2021, based on ransomware incident response company Coveware. The average and median ransom payment in Quarter 1 of 2022 was $211,259 and $73,906, respectively.

The drop in total ransom payments was related to a number of factors. Coveware says ransomware groups were targeting smaller businesses and issuing lesser ransom payments, because of the growing scrutiny by law enforcement whenever attacks are done on large companies. The median organization size is dropping since Quarter 4 of 2020, and is currently with about 160 workers. This seems to be the sweet spot, where the organizations have enough income to get big ransom payments, however not so big that attacks will prompt appreciable scrutiny by authorities.

One more reason why total ransom payments have dropped is the reduced number of victims of ransomware attacks who were paying the ransom. The number of subjects of ransomware attacks that pay the ransom is gradually declining, from 85% of victims in 1st Q of 2019 to 46% of victims in Quarter 1 of 2022. Also, a few of the most well-known ransomware operations had been quiet, like Maze and REvil (Sodinokibi).

LockBit and Conti are the most high profile ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, then BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware advises that the affiliates who partner with ransomware-as-a-service operations seem to be less eager to work together with large RaaS groups because those groups are usually targeted by law enforcement. It is currently common for affiliates to try scaled-down RaaS operations or possibly make their own ransomware variants using leaked source code.

The most typical attack vectors in ransomware attacks are exploiting unpatched vulnerabilities in software apps and operating systems, phishing, and Remote Desktop Protocol connections. Coveware has seen a rise in other attack vectors as of 2nd Q, 2021, for instance, social engineering and the direct compromise of insiders. Social engineering attacks are comparable to phishing however are remarkably targeted and usually include preparing or grooming targeted staff members before convincing them to give access to the network. There has additionally been a growth in solitary wolf attackers. Coveware knew the development in late 2021, and it has carried on all through the 1st Q of 2022. Attacks by these threat actors are generally carried out on businesses that have much better security than the common ransomware victim, like multi-factor authentication appropriately enabled for all workers and critical resources.

The Maze ransomware operation began utilizing double extortion tactics in late 2019.  That is, data is stolen from victims prior to file encryption. Payment is then demanded for the decryptor and to avoid the publication or sale of stolen information. These tactics were quickly followed by numerous ransomware operations and grew to be the norm, even though there was a fall in attacks concerning encryption and extortion in Quarter 1 of 2022. Double extortion was utilized in 84% of attacks in 4th Q of 2021, and 77% of attacks in 1st Q of 2022. Although double extortion is probably broadly employed in attacks for the near future, Coveware thinks the change from data encryption to data extortion will keep on, because data theft and naming and shaming of affected individuals will only call the interest of authorities. Data theft without encryption leads to no operational interruption yet maintains the capability of the threat actor to extort the affected individual. We anticipate this change from Big Game Hunting to Big Shame Hunting to carry on, explained Coveware in the report.

Coveware warned about giving the ransom demand to avert the posting or selling of data, as there are no guarantees that payment will bring about data deletion. In 63% of attacks wherein a ransom payment was made to stop the publication or selling of stolen information, the attackers gave no proof of data removal. In the rest of the attacks where evidence was offered, it could very easily be faked. When videos, screenshots, live screen shares, or deletion logs are given as proof, victims should have faith that a copy of the information was not made. In one prominent case, a threat actor explicitly stated that the stolen data will not be deleted if paid, and would keep it for future use against the victim, stated Coveware.