Several cybersecurity advisories and agencies recommend not caving into ransomware gangs’ demands and paying their ransoms. For a while, though, this advice didn’t stick —organizations tended to panic and quickly pay to get important systems back running or avoid sensitive data being published. But it seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean for ransomware tactics.
A couple of recent surveys and reports shed light on a decrease in ransomware payments. One in particular from Coveware found that while 85% of ransomware victims paid the ransom in early 2019, that figure dropped to just 29% paying up by late 2023. That’s a huge reduction that comes down to the interplay of several contributing factors:
When you dig further into the data from the Coveware report, the median payment sum remains stable, even though the payment rate is steeply declining. So, gangs are still out there attacking businesses with ransomware, and they still have the potential to land a hefty payday.
It’s a bit early to assume that ransomware gangs will disappear just because fewer companies pay up. When picking the right targets, the stable median payment amount shows that there’s still money to be made. Here are some ways ransomware gangs’ tactics might evolve in response to declining ransomware payment rates.
Expect to see more gangs exfiltrating data rather than merely encrypting it. This data theft holds the potential for more likely payouts because victims face the binary choice of retaining the confidentiality of sensitive information or having it published online. An exception might come in industries where the availability of systems takes precedence over information confidentiality (e.g., manufacturing).
Given ransomware gangs’ general lack of moral compass, an obvious potential evolution is for threat actors to more aggressively extort victims and increase the odds of getting paid. Multi-layer extortion is a label that security researchers like to put on any extra layer of a ransom extortion effort. Still, whatever you want to call it, aggressive harassment seems a likely tactic. This will probably involve directly contacting customers or employees whose data has been encrypted or stolen and outlining the threats to them of having their data published. This will result in increased pressure on the organization to pay.
Ransomware groups may spend more time researching and targeting specific industries or organizations they believe are more likely to pay. This could involve focusing on critical infrastructure sectors or tweaking the types of ransomware attacks based on different industries (e.g., using exfiltration against targets with highly sensitive data while focusing more traditional ransomware attacks against companies in industries with low downtime tolerances).
Ransomware code is often straightforward for security researchers to reverse engineer and inspect what it does. Modernizing ransomware code could involve several strategies aimed at improving the effectiveness, stealth and impact of attacks. One example is to use more evasive encryption, like intermittent encryption, that only partly encrypts files and is harder to detect. Another possible tactic is developing ransomware in more secure languages like Rust, making it harder to analyze how it behaves.
There could be an increase in attempts to recruit or exploit insiders to facilitate ransomware attacks and even increase the impetus to pay up. This could involve bribing employees for access or exploiting disgruntled employees.
While it’s encouraging to see declining ransomware payments, this doesn’t mean the threat is diminishing. On the contrary, as ransomware gangs evolve their tactics and become more aggressive, the threat landscape becomes even more complex. Modern ransomware can infiltrate individual endpoints and entire cloud infrastructures, which calls for a comprehensive and proactive approach to cybersecurity across endpoints, networks and cloud environments.
Nuspire’s managed detection and response (MDR) provides you with a team of dedicated cyber experts who monitor and respond 24/7 across your cloud, network and endpoints to stay one step ahead of ransomware attackers.