Ransomware payments are going down as more victims decide not to pay up

A higher percentage of ransomware victims are choosing not to give into ransom demands - but don't think that ransomware is going away any time soon.
Written by Danny Palmer, Senior Writer

The average ransom paid to cyber criminals following a ransomware attack is falling as more companies become reluctant to give into extortion demands.

Analysis by cybersecurity company Coveware has found that the average ransom payment paid following a ransomware attack decreased by a third in the final quarter of 2020, dropping to $154,108 from $233,817 during the previous three months.

The company attributes the drop in the average ransom payment to victims choosing not to give into demands to pay bitcoin in exchange for the decryption key, which the criminals claim will restore the network to working order.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    

While it's positive that a higher percentage of these victims are choosing not to pay cyber criminals, there's still a large number of organisations that do give in – allowing ransomware to continue to be successful, even if those behind attacks have been making slightly less money. However, it might be enough for some ransomware operators to consider if the effort is worth it.

"When fewer companies pay, regardless of the reason, it causes a long-term impact, that compounded over time can make a material difference in the volume of attacks," said a blog post by Coveware.

The rise in organisations choosing not to give into extortion tactics around ransomware has also led the gangs to change their tactics, as shown by the increase in ransomware attacks where criminals threaten to leak stolen data if the victim doesn't pay. According to Coveware, these accounted for 70% of ransomware attacks in the final three months of 2020 – up from 50% during the previous three months.

However, while almost three-quarters of organisations threatened with data being published between July and September paid ransoms, that dropped to 60% for organisations who fell victim between October and December.

Researchers note that even if the ransom is paid, there's no guarantee that criminals will delete the data, and instead they may use it for some other malicious purposes, something which organisations might be considering when making a decision over payment.

And, as cybersecurity companies and law enforcement agencies warn, any payment made following a ransomware attack just motivates the criminals to continue attacks.

Ransomware also continues to be a success because cyber criminals are able to successfully breach insecure networks in order to lay down the foundations of attacks.

Phishing emails and exploitation of Remote Desktop Protocol (RDP) are the most common methods for ransomware attacks to enter networks. While a phishing email relies on victims opening malicious documents or links to set the attack in motion, RDP doesn't need an individual in the victim organisation to be involved at all, because attackers are able to abuse leaked credentials.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

In both of these cases, the ransomware is finding a way into networks because cyber criminals are exploiting security vulnerabilities. Applying security patches to prevent malicious hackers using known vulnerabilities can go a long way to stopping malware being executed on the network.

Using tools like two-factor authentication can help prevent attackers gaining a foothold on the network, because even if they have the right login credentials, it's much harder to exploit them.

Meanwhile, regularly updating offline backups also provides organisations that do fall victim to ransomware attacks with a means of restoring the network without rewarding criminals.


Editorial standards