Ransomware Actors Face Obstacles as Companies Refuse to Pay Exorbitant Demands
The start of this year has been a struggle for ransomware actors, with a record-low of just 28% of companies paying extortion demands in the first quarter of 2024, based on statistics from cybersecurity company Coveware. This marks a decrease from 29% in Q4 2023, and these declining payments have remained steady since early 2019.
This decline can be attributed to organizations implementing more advanced security measures, increased legal pressure not to give in to criminals’ financial demands, and repeated breaches of promises by cybercriminals not to publish or resell stolen data if ransom is paid.
However, it is important to note that despite the drop in payment rates, the total amount paid to ransomware actors is higher than ever, reaching $1.1 billion last year, according to a report by Chainalysis. This can be attributed to ransomware gangs targeting more organizations, increasing attack frequency, and demanding larger sums to prevent the exposure of private information and to provide victims with a decryption key.
In the first quarter of 2024, Coveware reports a 32% quarter-over-quarter drop in the average ransom payment, now at $381,980, along with a 25% quarter-over-quarter increase in the median ransom payment, which stands at $250,000.
This simultaneous decrease in the average and increase in median ransom payments indicates a decline in high-figure payments and an increase in moderate amounts. This could be due to ransom demands becoming more modest and/or fewer high-value targets giving in to extortion.
In terms of initial infiltration methods, there is a growing number of cases where this information is unknown, reaching almost half of all reported cases in the first quarter of 2024.
Of those that have been determined, remote access and vulnerability exploitation play the largest role, with the CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708-9 flaws being the most widely exploited by ransomware operators in Q1.
The Impact of Law Enforcement Operations
Coveware reports that the FBI’s disruption of LockBit has had a significant impact on the once-leading operation, as demonstrated in their attack statistics. This operation has also caused turmoil for other major gangs, resulting in payment disputes and exit scams, such as the one seen with BlackCat/ALPHV.
Furthermore, these law enforcement operations have weakened the trust of other ransomware affiliates towards RaaS operators, leading many to operate independently.
“We have seen an increase in Babuk forks in recent attacks, and several former RaaS affiliates using the ubiquitous and almost free Dharma/Phobos services,” explains Coveware in the report.
According to the security firm, in many cases, affiliates have even chosen to leave cybercrime altogether.
“The majority of individuals involved in the cyber extortion ecosystem are not hardened criminals; rather, they are individuals with STEM skills residing in jurisdictions lacking both extradition treaties and sufficient legitimate economic opportunities to utilize their skills,” continues Coveware.
“Some of these individuals may view the increased risk of getting caught, along with the risk of losing their source of income, as reason enough to quit.”
In this volatile industry, Akira holds the top spot for the most active ransomware in terms of attacks launched in the first quarter of the year, maintaining its position for nine months in a row. This week, the FBI announced that Akira is responsible for breaches in at least 250 organizations and has collected $42 million in ransom payments.